Milkeyway Input Validation Bugs Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1015778|
SecurityTracker URL: http://securitytracker.com/id/1015778
(Links to External Site)
Date: Mar 16 2006
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network|
Version(s): 0.1, 0.1.1|
Several vulnerabilities were reported in Milkeyway. A remote user can inject SQL commands. A remote user can conduct cross-site scripting attacks.|
Many of the scripts do not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.
The authuser.php, authgroup.php, chgpwd.php, logout.php, traffic.php, and userstatistics.php scripts are affected. Other scripts may also be affected.
Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Milkeyway software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The authuser.php and userstatistics.php scripts are affected.
The vendor was notified on March 16, 2006.
Francesco "aScii" Ongaro discovered this vulnerability.
The original advisory is available at:
A remote user can execute SQL commands on the underlying database.|
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Milkeyway software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
No solution was available at the time of this entry.|
Vendor URL: sourceforge.net/projects/milkeyway (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: [Full-disclosure] Milkeyway Multiple Vulnerabilities|
Milkeyway Captive Portal Multiple Vulnerabilities
Name Multiple Vulnerabilities in Milkeyway Captive Portal
Systems Affected WebCalendar (any version, verified on 0.1 and 0.1.1)
Severity Medium Risk
Author Francesco "aScii" Ongaro (ascii at katamail . com)
Milkeyway is a software for the management and administration of
internet access within public structures and frameworks, where
the service supplying must be submitted to a scrupulous inspection.
Nearly all SQL queries are vulnerable to SQL injection vulnerabilities.
There are also some XSS vulnerabilities.
Since there are 28 detected different vulnerabilities only an
abstract will be included in this mail, please refer to the complete
advisory aviable here:
1) LOGIN PAGE authenticate() SQL INJECTION
2) add_userIp() SQL INJECTION
3) updateTimeStamp() SQL INJECTION
4) authuser.php USER DELETE SQL INJECTION
5) delete_user() SQL INJECTION
6) authuser.php MODIFY USER modify_user() SQL INJECTION
7) authuser.php MULTIPLE XSS
8) authuser.php EDIT SQL INJECTION
9) authuser.php RELEASE USER SQL INJECTION
10) releaseUser() SQL INJECTION
11) authuser.php ORDERING SQL INJECTION
12) authgroup.php ADD GROUP SQL INJECTION
13) add_team() SQL INJECTION
14) authgroup.php DELETE GROUP SQL INJECTION
15) delete_team() SQL INJECTION
16) authgroup.php MODIFY TEAM SQL INJECTION
17) modify_team() SQL INJECTION
18) traffic.php MULTIPLE SQL INJECTION
19) userstatistics.php ADD USER SQL INJECTION
20) userstatistics.php DELETE USER SQL INJECTION
21) userstatistics.php MODIFY USER SQL INJECTION
22) userstatistics.php EDIT USER SQL INJECTION
23) userstatistics.php MULTIPLE XSS
24) userstatistics.php $_GET['username'] SQL INJECTION 1
25) userstatistics.php $_GET['username'] SQL INJECTION 2
26) chgpwd.php SQL INJECTION 1
27) chgpwd.php SQL INJECTION 2
28) logout.php SQL INJECTION
Milkeyway 0.1 and 0.1.1 are vulnerable.
Input validation will fix the vulnerability.
Magic quotes ON will protect you against most of these injections
except chapter 11 (authuser.php ORDERING SQL INJECTION) where the
input has no single or double quotes around, making magic quotes
11) SQL is injectable by $_GET['filter']
---------------- in authuser.php -----------------
$orderingFilter = $_GET['filter'];
if ($orderingFilter == '') $orderBy ="order by uname ASC" ;
else $orderBy ="order by ".$orderingFilter." ".$direction;
$result = mysql_query("SELECT * FROM authuser ".$orderBy );
VI. VENDOR RESPONSE
Vendor has been contacted.
VII. CVE INFORMATION
No CVE at this time.
VIII. DISCLOSURE TIMELINE
20060301 Bug discovered
20060316 Vendor contacted
20060316 Advisory released
ascii is credited with the discovery of this vulnerability.
X. LEGAL NOTICES
Copyright (c) 2005 Francesco "aScii" Ongaro
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Go to the Top of This SecurityTracker Archive Page