SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Chipmailer Vendors:   chipmailer.de
Chipmailer Input Validation Hole Permits Cross-Site Scripting Attacks and Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1016315
SecurityTracker URL:  http://securitytracker.com/id/1016315
CVE Reference:   CVE-2006-3110, CVE-2006-3111, CVE-2006-3112   (Links to External Site)
Updated:  Oct 13 2008
Original Entry Date:  Jun 15 2006
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.09 and prior versions
Description:   A vulnerability was reported in Chipmailer. A remote user can conduct cross-site scripting attacks. A remote user can inject SQL commands.

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Chipmailer software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can also supply a specially crafted parameter value to execute SQL commands on the underlying database.

Several parameters in 'main.php' are affected by the cross-site scripting and SQL injection vulnerabilities.

A remote user can invoke 'php.php' to obtain information about the system configuration (because the script calls the phpinfo() function).

Tamriel [tamriel at gmx dot net] reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Chipmailer software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.chipmailer.de/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Chipmailer <= 1.09 Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1


     Advisory: Chipmailer <= 1.09 Multiple Vulnerabilities

 Release Date: 2006/06/13

Last Modified: 2006/06/13

       Author: Tamriel [tamriel at gmx dot net]

  Application: Chipmailer <= 1.09

         Risk: Medium

Vendor Status: no patch available

  Vendor Site: chipmailer.de



Overview:


   Quote from http://chipmailer.de


   "Der Chipmailer ist ein Paidmail Script der neuesten Generation, 

   welches mit Attraktiven Vorteilen winkt. Dieses Script hat sehr 




Details:


   1) Cross Site Scripting Vulnerabilities in main.php

      (arround line 300-310)


      ...


      $sitename = data("sitename");

      $name = $_POST['name'];

      $betreff = $_POST['betreff'];


      $mail = $_POST['mail'];

      $adminmail = data("adminmail");

      $text = $_POST['text'];


      mail($adminmail, $betreff, $text, "From: $name <$mail>");


      ...


      Nothing will be checked so an attacker can send the

      site administrator some shit.


      In the complete script you can found this vulnerabilities so i

      mention only one example here.


   2) SQL Injection Vulnerability in main.php

      (arround line 335)


      ...


      $anfang = $_GET['anfang'];

      $connect = mysql_query("SELECT head, autor, date, text FROM news 

      order by id desc LIMIT $anfang, 10");


      ...


   3) Public phpinfo() in php.php

      (arround line 2)


      <?

      phpinfo();

      ?>


      In the php.php file, included in the install files from this script 

      is just a phpinfo() command used, so attackers can easy collect

      information about their victims.


   4) SQL Injection Vulnerability in main.php

      (arround line 30-140)

      

      ...


      $name = $_POST['name'];

      $pass = md5($_POST['pass']);

      $passwdh = md5($_POST['passwdh']);

      $mail = $_POST['mail'];


      $anrede = $_POST['anrede'];

      $vorname = $_POST['vorname'];

      $nachname = $_POST['nachname'];


      $gebtag = $_POST['gebtag'];

      $gebmonat = $_POST['gebmonat'];

      $gebjahr = $_POST['gebjahr'];


      ...

      

      mysql_query("INSERT INTO user ( name, pass, mail, ip, status, register, anrede, vorname, nachname,

      strasse, hausnr, plz, stadt, land, geb, `int1`, `int2`, `int3`, `int4`, `int5`, `int6`, `int7`,

      `int8`, `int9`, `int10`, `int11`, `int12`, `int13`, `int14`, `int15`, `int16`, `int17`,

      `int18`, `int19`, `int20`, `int21`, newsletter, werber, paidmails, bespaidmails ) VALUES

      	 ( '$name', '$pass', '$mail', '$ip', '2', '$date', '$anrede', '$vorname', '$nachname', '$strasse', '$hausnr',

      '$plz', '$stadt', '$land', '$geb', '$int1', '$int2', '$int3', '$int4', '$int5', '$int6', '$int7',

      '$int8', '$int9', '$int10', '$int11', '$int12', '$int13', '$int14', '$int15', '$int16', '$int17',

      '$int18', '$int19', '$int20', '$int21', '$newsletter', '$werber', '0', '0' )");


      ...


      If magic_quotes_gpc is off, then you can directly inject malicious SQL code.


      The same in (for example):


          line 1366-1369

          line 1519-1520

          line 1768-1769

          ...



Proof of Concept:


      index.php?area=news&anfang=0/*



Note:


      It is strongly recommended to update your script by yourself.

      Check out some other insecure handlings, like the logout handling with not overwrites 

      the existence cookie.

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.3


iD8DBQFEjyQrqBhP+Twks7oRArnAAKCS99/tPofih3VT5r7rEPS3wcq5oQCfckFN

4uKl2tTrA802OsBlya53Vj8=

=d7Dx

-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC