[UNIX] Mapbender SQL Injections

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Mapbender SQL Injections
------------------------------------------------------------------------


SUMMARY

" <http://www.mapbender.org> Mapbender is the software and portal site for
geodata management of OGC OWS architectures. The software provides web
technology for managing spatial data services implemented in PHP,
JavaScript and XML. It provides a data model and interfaces for
displaying, navigating and querying OGC compliant map services. The
Mapbender framework furthermore provides authentication and authorization
services, OWS proxy functionality, management interfaces for user, group
and service administration in WebGIS projects."

Due to the lack of input validation, an attacker is able to inject
SQL-commands in many PHP scripts of Mapbender.

DETAILS

Vulnerable Systems:
* Mapbender version 2.4.4

Immune Systems:
* Mapbender version 2.4.5 rc1

These vulnerabilities can be exploited regardless of PHP magic quotes. For
demonstration purposes, the injection into the "gaz" variable of the file
http/php/mod_gazetteer_edit.php is shown.

The two relevant lines are:
$sql = "SELECT * FROM gazetteer WHERE gazetteer_id = ".$_REQUEST["gaz"];
$res = db_query($sql);

The user input $_REQUEST["gaz"] goes unfiltered, unquoted and unescaped
into an SQL statement. As no prepared statements are used here, an
attacker can execute arbitrary SQL commands.

There is no need to use quotes in the SQL statement for an attacker, so
PHP magic quotes do not help.

Proof of Concept:
The following request retrieves the first username and password hash from
the Mapbender database.
http://www.example.com/php/mod_gazetteer_edit.php?gaz= 1 LIMIT 0 UNION
(SELECT char(65), char(65), char(65), char(65), char(65), char(65),
mb_user_name, char(65), mb_user_password, char(65) from mb_user
LIMIT 0,1)

Fix:
The vulnerability is fixed in release 2.4.5 rc1.

Security Risk:
As an attacker is able to e.g. get the password hashes of the
administrators and other users, the risk is estimated as high.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0301>
CVE-2008-0301

Disclosure Timeline:
2007-12-14 Problem identified during a penetration test
2008-01-09 Customer approves contacting of Mapbender developers
2008-01-17 CVE number assigned
2008-03-10 Vendor releases fixed version
2008-03-11 Advisory released


ADDITIONAL INFORMATION

The information has been provided by
<mailto:release@xxxxxxxxxxxxxxxxxxxxx> RedTeam Pentesting GmbH.
The original article can be found at:
<http://www.redteam-pentesting.de/advisories/rt-sa-2008-002.php>
http://www.redteam-pentesting.de/advisories/rt-sa-2008-002.php



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages