<<< Date Index >>>     <<< Thread Index >>>

Chipmailer <= 1.09 Multiple Vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

     Advisory: Chipmailer <= 1.09 Multiple Vulnerabilities
 Release Date: 2006/06/13
Last Modified: 2006/06/13
       Author: Tamriel [tamriel at gmx dot net]
  Application: Chipmailer <= 1.09
         Risk: Medium
Vendor Status: no patch available
  Vendor Site: chipmailer.de


Overview:

   Quote from http://chipmailer.de

   "Der Chipmailer ist ein Paidmail Script der neuesten Generation, 
   welches mit Attraktiven Vorteilen winkt. Dieses Script hat sehr 
   viele Funktionen für Benutzer, Sponsoren sowie für Administratoren."


Details:

   1) Cross Site Scripting Vulnerabilities in main.php
      (arround line 300-310)

      ...

      $sitename = data("sitename");
      $name = $_POST['name'];
      $betreff = $_POST['betreff'];
      $betreff = "Anfrage bei ".$sitename." über ".$betreff."";
      $mail = $_POST['mail'];
      $adminmail = data("adminmail");
      $text = $_POST['text'];

      mail($adminmail, $betreff, $text, "From: $name <$mail>");

      ...

      Nothing will be checked so an attacker can send the
      site administrator some shit.

      In the complete script you can found this vulnerabilities so i
      mention only one example here.

   2) SQL Injection Vulnerability in main.php
      (arround line 335)

      ...

      $anfang = $_GET['anfang'];
      $connect = mysql_query("SELECT head, autor, date, text FROM news 
      order by id desc LIMIT $anfang, 10");

      ...

   3) Public phpinfo() in php.php
      (arround line 2)

      <?
      phpinfo();
      ?>

      In the php.php file, included in the install files from this script 
      is just a phpinfo() command used, so attackers can easy collect
      information about their victims.

   4) SQL Injection Vulnerability in main.php
      (arround line 30-140)
      
      ...

      $name = $_POST['name'];
      $pass = md5($_POST['pass']);
      $passwdh = md5($_POST['passwdh']);
      $mail = $_POST['mail'];

      $anrede = $_POST['anrede'];
      $vorname = $_POST['vorname'];
      $nachname = $_POST['nachname'];

      $gebtag = $_POST['gebtag'];
      $gebmonat = $_POST['gebmonat'];
      $gebjahr = $_POST['gebjahr'];

      ...
      
      mysql_query("INSERT INTO user ( name, pass, mail, ip, status, register, 
anrede, vorname, nachname,
      strasse, hausnr, plz, stadt, land, geb, `int1`, `int2`, `int3`, `int4`, 
`int5`, `int6`, `int7`,
      `int8`, `int9`, `int10`, `int11`, `int12`, `int13`, `int14`, `int15`, 
`int16`, `int17`,
      `int18`, `int19`, `int20`, `int21`, newsletter, werber, paidmails, 
bespaidmails ) VALUES
         ( '$name', '$pass', '$mail', '$ip', '2', '$date', '$anrede', 
'$vorname', '$nachname', '$strasse', '$hausnr',
      '$plz', '$stadt', '$land', '$geb', '$int1', '$int2', '$int3', '$int4', 
'$int5', '$int6', '$int7',
      '$int8', '$int9', '$int10', '$int11', '$int12', '$int13', '$int14', 
'$int15', '$int16', '$int17',
      '$int18', '$int19', '$int20', '$int21', '$newsletter', '$werber', '0', 
'0' )");

      ...

      If magic_quotes_gpc is off, then you can directly inject malicious SQL 
code.

      The same in (for example):

          line 1366-1369
          line 1519-1520
          line 1768-1769
          ...


Proof of Concept:

      index.php?area=news&anfang=0/*


Note:

      It is strongly recommended to update your script by yourself.
      Check out some other insecure handlings, like the logout handling with 
not overwrites 
      the existence cookie.
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3

iD8DBQFEjyQrqBhP+Twks7oRArnAAKCS99/tPofih3VT5r7rEPS3wcq5oQCfckFN
4uKl2tTrA802OsBlya53Vj8=
=d7Dx
-----END PGP SIGNATURE-----