ZRCSA-200502 - phpAdsNew SQL Injection Vulnerabilities

From: Siegfried (siegfri3d_at_gmail.com)
Date: 11/11/05

  • Next message: Thierry Carrez: "[ GLSA 200511-08 ] PHP: Multiple vulnerabilities"
    Date: Fri, 11 Nov 2005 07:45:44 +0100
    To: bugtraq@securityfocus.com

    ZRCSA-200502 - phpAdsNew SQL Injection Vulnerabilities

    Zone-H Research Center Security Advisory 200502

    Date of release: 11/11/2005
    Software: phpAdsNew (www.phpadsnew.com)
    Affected versions:
    <= 2.0.6
    2.0.7rc1 (latest CVS snapshot)
    Risk: Medium
    Discovered by: Kevin Fernandez "Siegfried" from the Zone-H Research Team

    Background (from their web site)
    phpAdsNew is an open-source ad server, with an integrated banner
    management interface and tracking system for gathering statistics.
    With phpAdsNew you can easily rotate paid banners and your own
    in-house advertisements. You can even integrate banners from third
    party advertising companies.

    Toni Koivunen has published an advisory yesterday regarding a
    vulnerability exploitable via /admin/logout.php, that can be used to
    delete arbitrary data (maybe more). However more sql injections are
    present in this part of the code, all the functions in
    /admin/lib-sessions.inc.php do not check the "sessionID" variable
    coming from the cookie, the most interesting is
    phpAds_SessionDataFetch() because it is called in config.php and makes
    a simple SELECT query.

    [no previous check]
           if (isset($HTTP_COOKIE_VARS['sessionID']) &&
    $HTTP_COOKIE_VARS['sessionID'] != '')
    $result = phpAds_dbQuery("SELECT sessiondata FROM
    ".$phpAds_config['tbl_session']." WHERE
    sessionid='".$HTTP_COOKIE_VARS['sessionID']."'" .
    " AND UNIX_TIMESTAMP(NOW())-UNIX_TIMESTAMP(lastused) < 3600"); <-- ouch

    Since /admin/config.php is included in /admin/index.php, we don't need
    to be authenticated to exploit the vulnerability.

    PoC (cookie):
    sessionID=adsds'/**/UNION/**/SELECT admin_pw from phpads_config into
    outfile "/var/www/blah.txt"/*;

    Just "exploit" one of the many errors in the pages to get the path and
    here you go, open /admin/index.php with that as cookie.

    No patch.

    Filter the variable in the affected functions.

    Original advisories:
    English version: http://www.zone-h.org/en/advisories/read/id=8413/
    French: http://www.zone-h.fr/fr/advisories/read/id=674/

  • Next message: Thierry Carrez: "[ GLSA 200511-08 ] PHP: Multiple vulnerabilities"