[UNIX] PHPX Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 05/06/04

  • Next message: SecuriTeam: "[NEWS] DeleGate SSL Filter Buffer Overflow"
    To: list@securiteam.com
    Date: 6 May 2004 18:40:25 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PHPX Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.phpx.org> PHPX is a constantly evolving and changing Content
    Management System (CMS). PHPX is highly customizable and high-powered all
    in one system. PHPX provides content management combined with the power of
    a portal by including in the core package modules such as FAQ, polls, and
    forums.

    PHPX is prone to cross-site scripting, path disclosure and arbitrary
    command execution attacks.

    DETAILS

    Vulnerable Systems:
     * PHPX version 3.26 and prior

    Immune Systems:
     * PHPX version 3.3.0

    Cross-site Scripting
    PHPX uses a function in the includes/functions.inc.php file that strips
    out bad stuff from the URI. The function is called checkURI(). The
    function is not written properly and does not do a good job of sanitizing
    the input received. Taking a closer look:

    function checkURI(){
       $checkArray = array(">","<","(",")");
       foreach($checkArray as $c){
         if (substr_count($_SERVER["REQUEST_URI"], $c)){ die("HACK ATTEMPT");
    }
       }
     }

    It is clearly evident that only a few special characters are filtered out
    and no special care is taken when the characters are encoded in a
    different encoding scheme. Examples of such encoded URLs are presented
    below:
    forums.php?forum_id=[VID]&limit=25%3Ciframe%3E
    forums.php?forum_id=[VID]&topic_id=[VID]&limit=15%3Ciframe%3E
    users.php?action=&limit=100%3Ciframe%3E
    users.php?action=view&user_id=[VID]%3E%3Ciframe%3E
    forums.php?action=post&forum_id=[VID]%3E%3Ciframe%3E
    forums.php?action=search&search_id=[VID]&limit=25%3E%3Ciframe%3E
    users.php?action=email&user_id=%3E%3Ciframe%3E
    users.php?action=view&user_id=[VID]%3E%3Ciframe%3E
    forums.php?forum_id=[VID]%3E%3Ciframe%3E
    forums.php?forum_id=[VID]&topic_id=[VID]&limit=%3E%3Ciframe%3E
    forums.php?action=post&forum_id=[VID]&topic_id=[VID]%3E%3Ciframe%3E
    news.php?news_id=[VID]%3E%3Ciframe%3E
    forums.php?forum_id=[VID]&topic_id=[VID]%3E%3Ciframe%3E

    Where VID is should be a valid id of some sorts depending on the function
    that is called. Yet, other XSS attacks are possible and the list provided
    is by no means complete.

    Path Disclosure
    It is possible for an attacker to learn the full physical path of the PHPX
    installation. This can be accomplished by sending a null or invalid value
    to several instances of the $limit variable.

    For example:
    forums.php?action=search&search_id=[VID]&limit=

    The result would be a MySQL_fetch_row() error that would reveal the full
    path to the PHPX installation.

    Arbitrary Command Execution
    Since there is neither session ID nor any type of key for validation of
    session commands, all an attacker has to do is send an admin a private
    message or make a malicious post with the desired command and the command
    will silently execute.

    Examples:
    /admin/page.php?action=delete&page_id=[VID]
    /admin/news.php?action=delete&news_id=[VID]
    /admin/user.php?action=delete&user_id=[VID]
    /admin/images.php?action=delete&image_id=[VID]
    /admin/page.php?action=deletePoll&poll_id=[VID]
    /admin/forums.php?action=words&subaction=delete&word_id=[VID]
    /admin/forums.php?action=flag&subaction=delete&flag_id=[VID]
    /admin/forums.php?action=xcode&subaction=delete&xcode_id=[VID]

    If any one of these commands were placed in an image tag an attacker could
    delete users, news items, pages, images, polls, word censors, flags, xcode
    and probably more.

    Quoting JeiAr:
    "In the past I have seen phpBB for example deal with the same issue of
    using unsafe GET requests by limiting the bbcode to only allow images with
    a valid extension. However this is a bad idea because it does not solve
    the problem at all, and to this day all phpBB versions are vulnerable to
    having arbitrary posts deleted and more just by visiting a malicious web
    page or link. It is a serious issue and should be treated as such. It
    greatly impacts the security of a web application. Even using the POST
    method without an auth key or the like is a bad idea."

    Vendor Status:
    The lead developer of the project was first informed over a month ago. The
    features have been addressed and a new more secure auth_key schema has
    been added in order to validate actions. Upgrade to version 3.3.0.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:security@gulftech.org>
    JeiAr.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] DeleGate SSL Filter Buffer Overflow"

    Relevant Pages

    • [UNIX] PHPX Web Portal Multiple Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHPX is highly customizable and high powered all ... perform cross-site scripting and even hijack cookie ...
      (Securiteam)
    • [UNIX] phpSysInfo Multiple Vulnerabilities (HTTP_ACCEPT_LANGUAGE, sensor_program, VERSION, charset)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have been discovered in phpSysInfo allowing ... the attacker to additionally inject the $lng parameter. ... $sensor_program can *still* be used to inject active ...
      (Securiteam)
    • [NT] Directory Traversal In CProxy
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... directory traversal attack and thus gain access to arbitrary files located ... on the CProxy Server system. ... filtering allows a remote attacker to gain attack to arbitrary files on ...
      (Securiteam)
    • [UNIX] OpenBB Multiple Vulnerabilities (board.php, search.php, member.php, post.php, myhome.php, ind
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... arbitrary command execution. ... snippet of code from one of the vulnerable scripts is presented ...
      (Securiteam)
    • [UNIX] KDE URI handler vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A bug in KDE can be used by an attacker to create or truncate arbitrary ... The KDE URI handler does not perform adequate filtering ...
      (Securiteam)