SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Care 2002 Vendors:   Latorilla, Elpidio
Care 2002 Medical Application Input Validation Holes Let Remote Users View Files on the System and Execute SQL Commands
SecurityTracker Alert ID:  1004763
SecurityTracker URL:  http://securitytracker.com/id/1004763
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 13 2002
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0.01 and prior versions
Description:   Input validation vulnerabilities were reported in the Care 2002 medical information system application. A remote user can view arbitrary files on the system with the privileges of the web server and can inject SQL commands to be executed on the underlying SQL database.

It is reported that portions of the software use include statements based on user-supplied variables. If 'register_globals' is on and 'magic_quotes_gpc' is off, a remote user can view any file on the system with the privileges of the web server.

A demonstration exploit example is provided:

foobar.php?input=../../../etc/passwd%00

It is also reported that the software does not properly filter user-supplied data that is passed to the SQL server. A remote user can insert control characters into certain data parameters to cause arbitrary SQL statements to be executed. According to the report, this can be exploited when 'magic_quotes_gpc' is turned off.

Impact:   A remote user can read files on the system that are readable by the web server. A remote user can execute arbitrary SQL commands on the database server.
Solution:   No solution was available at the time of this entry. However, it is reported that the authors plan to release a fixed version (1.0.02), to be available at:

http://www.care2x.com/

Vendor URL:  www.care2x.com/modul.php?thispage=headlines&m_titel=NEWS&m_item=Headlines&lang=en (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Several problems in CARE 2002


Several problems in CARE 2002
-------------------------------------

# What is CARE 2002?
CARE 2002 is a free software package for hospitals. It's based on php +
mysql. For further information visit <http://www.care2x.com/>.


#### include + NULL problem  ####
# Problem description 
There are several include statements which use variables passed by
the user. So if register_globals is on and magic_quotes_gpc is off you
are able to read any file on the webserver:
./main/cafenews.php:
[...]
include("../language/".$lang."/lang_".$lang."_newsdummy.php");
[...]

If $lang contains NULL (aka \0 or %00) the include statement ignores
everything after the NULL and includes the file.
Here's some metacode explaining the behavior:

foobar.php looks like this:
<?php
include("../".$input."blubb");
?>

Calling the file with the following parameter:
foobar.php?input=bla%00bla

results in (with enabled magic_quotes_gcp):
<br />
<b>Warning</b>:  Failed opening '../bla\0blablubb' for inclusion
(include_path='.:/usr/local/lib/php') in <b>/home/user/public_html/foobar.php</b> on
line
<b>2</b><br />

This doesn't seem to be exploitable, but what happens, if magic_quotes_gcp
is turned off (like on php.ini-recommened, for performance reasons, without
pointing to THIS kind of problem)?:
<br />
<b>Warning</b>:  Failed opening '../bla' for inclusion
(include_path='.:/usr/local/lib/php') in <b>/home/user/public_html/foobar.php</b> on line
<b>2</b><br />

Huh?! Did you get it? Everything after NULL (%00) is ignored!
So what can we do now? We can take a look at the avaiable users:
foobar.php?input=../../../etc/passwd%00

Voila...
You can open every file you want. Ok, not every file. It has to be
readable by the http-user, like wwwrun or www.

# And the solution? 
One can test, if a file exists with the function file_exists(). This
function doesn't ignore the characters after NULL.
On the other side, one could try to avoid using userdata to open a file.

In CARE 2002 and other webapps, you are often faced to this kind of
problem while handling language or themes files.

# Fix?
The authors will release a new version (1.0.0.2) at
<http://www.care2x.com/>.
The best way for a admin is, to enable magic_quotes_gpc and/or other
security related options in php. For further information take a look at:
<http://php.net/security> .
Other options, like enable_safe_mode or open_base_dir helps you too, to
keep your server privacy if you can't trust the executed phpcode.

#### missing addslashes() ####

# Problem description
None of the data passed (there are just a few exeptions) to the mysqld
is checked for control characters like ', " et al.
So one is able to commit injected sql queries.
The problem exists, when magic_quotes_gpc is turned off.

For further information about dangerous sql queries
see:
*<http://www.php.net/manual/en/security.database.php#security.database.sql-injection>.
* <http://www.google.com/search?q=sql+injection+problem>

# And the solution?
One can use addslashes() for _every_ data a user enters and is submitted
to the database.
Lazy people hope, that magic_quotes_gpc is enabled. Never expect, that  an
admin configured a webserver correct, try to start the security at
application level.

# Fix?
Within the new release, the author fixed the problems.
Turn magic_quotes_qpc on!


##### Credits #####
Thanks skyp, for cross reading the text.
For the german-speaking folk: <http://bluephod.net/>
Sorry for the broken lines I hate webmailer :).

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC