Multiple Vulnerabilities In phpWebsite
##########################################################
# GulfTech Security Research August, 31st 2004
##########################################################
# Vendor : phpWebSite Development Team
# URL : http://phpwebsite.appstate.edu/
# Version : phpWebsite 0.9.3-4 And Earlier
# Risk : Multiple Vulnerabilities
##########################################################
Description:
phpWebSite provides a complete web site content management
solution. All client output is valid XHTML 1.0 and meets the
W3C's Web Accessibility Initiative requirements. Currently
features: announcement posting, form generator, user
management with granulated administration, calendar, poll,
faq, photoalbum, bulletin board, rss feeds, user
customizable theme support and more. It is one of the most
popular content managment systems in the world.
SQL Injection:
The calendar module of phpWebsite allows users to submit
their own events to the calendar. Upon approval by an admin
(or in some cases the admin doesn't need to approve it, but
this is not a default setting) certain data that was earlier
supplied by the user earlier is then entered into the
database. It could be possible for an attacker to insert
malicious statements via the "cal_template" field and then
influence the UPDATE query when it is executed. By default
I believe the calendar module allows anyone to submit a new
event for approval.
Cross Site Scripting:
The phpWebsite developers have done a good job of filtering
get requests that are passed to the application. However I
have found one place for a Cross Site Scripting attack to
take place, and that is the comments module.
/index.php?module=comments&CM_op=replyToComment&CM_pid=1[XSS]
The above url will render the specified code in the browsers
of both guest users, and logged in users.
Script Injection:
When sending users private messages via the notes module it
is possible to input script or html etc into both the subject
and the message fields of the note. When a user visits their
notes module, or reads the note, the code will then be executed.
This can be very dangerous and used to force command execution.
Forced Command Execution:
phpWebsite's only major flaw I have seen is the VERY unsafe use
of the get method (RFC 2616 9.1.1) The lack of an auth check
before executing key functions is not good either. The code and
the overall app is very nice, but this one issue allows for a
user to gain admin privileges and much more. Let's say a malicious
user would like to become admin of a phpWebsite, or perform some
admin functions such as delete a user they are not very fond of
such as the site admin :P This is all very much possible, easy
to do, and not very noisy at all. What we need to do is find a
way to force an admin, or user to perform a get request to the
desired command so that is executed by them. Well, with the XSS
and Script Injection vulns I mentioned earlier this becomes a
VERY easy task. An attacker could use the previously mentioned
vulns and send the malicious request in an image, iframe or any
other appropriate tags and have them executed via the private
message injection vuln, or the comments module xss issue. The
stuff I just mentioned all makes get requests, but it is easy
to force a user to make post requests too. This can be done via
a bit of javascript that automatically submits the form, and the
private message feature which allows javascript to be sent. Now
here are some examples of the vulns.
/index.php?module=users&user_op=user_deify&deification=bestow&user_id=4
/index.php?module=users&user_op=turnOnAdmin&user_id=4
/index.php?module=users&user_op=deleteUser&confirm=yes&user_id=2
This sent to an admin in a pm will set the attacker to the deity
level, make the attacker an admin, and then delete the admin
from their own website. This example has the attacker as the user
id number 4 and the admin as number 2. of course these will have
to be changed in most cases to work. Now just send the following
data in [img] tags, or a html img tag to the desired administrator
and then log in to your new super user account.
This issue affects almost all if not all of the components on the
phpWebsite so I am not going to include an example of every little
place that this issue is present, but I will include examples of
the more popular components such as the phpWebsite message board
phpwsbb. This example will delete a desired forum, and then ban
a specified user's (an admin maybe?) name and ip address.
/index.php?module=phpwsbb&PHPWSBB_MAN_OP=banusername&PHPWS_MAN_ITEMS[]=jeiar
/index.php?module=phpwsbb&PHPWSBB_MAN_OP=banip&PHPWS_MAN_ITEMS[]=127.0.0.1
/index.php?module=phpwsbb&PHPWSBB_MAN_OP=deleteforum&PHPWS_MAN_ITEMS[]=1&opt
ion_yes=yes
Just put those url's inside of an [img] tag or an html image tag
and the commands will likely be executed successfully. This also
works for the deletion of posts, and just about anything else too.
Solution:
I would like to thank Matthew McNaney and the rest of the dev
team for a prompt response and professional attitude. These guys
care very much about the security of their product, and the well
being of the users.
http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=vie
w&ANN_id=822
The updated security patches can be downloaded at the above link.
The RFC 2616 security issues will be addressed in the next release
of phpWebsite due out at the end of the year. The next release will
address these issues by requiring a valid authentication key for
actions taken. It should be a great improvement and I believe it
will help make phpWebsite one of the most secure open source
content management systems around.
Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00048-08312004
Credits:
James Bercegay of the GulfTech Security Research Team