Chipmailer <= 1.09 Multiple Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory: Chipmailer <= 1.09 Multiple Vulnerabilities
Release Date: 2006/06/13
Last Modified: 2006/06/13
Author: Tamriel [tamriel at gmx dot net]
Application: Chipmailer <= 1.09
Risk: Medium
Vendor Status: no patch available
Vendor Site: chipmailer.de
Overview:
Quote from http://chipmailer.de
"Der Chipmailer ist ein Paidmail Script der neuesten Generation,
welches mit Attraktiven Vorteilen winkt. Dieses Script hat sehr
viele Funktionen für Benutzer, Sponsoren sowie für Administratoren."
Details:
1) Cross Site Scripting Vulnerabilities in main.php
(arround line 300-310)
...
$sitename = data("sitename");
$name = $_POST['name'];
$betreff = $_POST['betreff'];
$betreff = "Anfrage bei ".$sitename." über ".$betreff."";
$mail = $_POST['mail'];
$adminmail = data("adminmail");
$text = $_POST['text'];
mail($adminmail, $betreff, $text, "From: $name <$mail>");
...
Nothing will be checked so an attacker can send the
site administrator some shit.
In the complete script you can found this vulnerabilities so i
mention only one example here.
2) SQL Injection Vulnerability in main.php
(arround line 335)
...
$anfang = $_GET['anfang'];
$connect = mysql_query("SELECT head, autor, date, text FROM news
order by id desc LIMIT $anfang, 10");
...
3) Public phpinfo() in php.php
(arround line 2)
<?
phpinfo();
?>
In the php.php file, included in the install files from this script
is just a phpinfo() command used, so attackers can easy collect
information about their victims.
4) SQL Injection Vulnerability in main.php
(arround line 30-140)
...
$name = $_POST['name'];
$pass = md5($_POST['pass']);
$passwdh = md5($_POST['passwdh']);
$mail = $_POST['mail'];
$anrede = $_POST['anrede'];
$vorname = $_POST['vorname'];
$nachname = $_POST['nachname'];
$gebtag = $_POST['gebtag'];
$gebmonat = $_POST['gebmonat'];
$gebjahr = $_POST['gebjahr'];
...
mysql_query("INSERT INTO user ( name, pass, mail, ip, status, register,
anrede, vorname, nachname,
strasse, hausnr, plz, stadt, land, geb, `int1`, `int2`, `int3`, `int4`,
`int5`, `int6`, `int7`,
`int8`, `int9`, `int10`, `int11`, `int12`, `int13`, `int14`, `int15`,
`int16`, `int17`,
`int18`, `int19`, `int20`, `int21`, newsletter, werber, paidmails,
bespaidmails ) VALUES
( '$name', '$pass', '$mail', '$ip', '2', '$date', '$anrede',
'$vorname', '$nachname', '$strasse', '$hausnr',
'$plz', '$stadt', '$land', '$geb', '$int1', '$int2', '$int3', '$int4',
'$int5', '$int6', '$int7',
'$int8', '$int9', '$int10', '$int11', '$int12', '$int13', '$int14',
'$int15', '$int16', '$int17',
'$int18', '$int19', '$int20', '$int21', '$newsletter', '$werber', '0',
'0' )");
...
If magic_quotes_gpc is off, then you can directly inject malicious SQL
code.
The same in (for example):
line 1366-1369
line 1519-1520
line 1768-1769
...
Proof of Concept:
index.php?area=news&anfang=0/*
Note:
It is strongly recommended to update your script by yourself.
Check out some other insecure handlings, like the logout handling with
not overwrites
the existence cookie.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3
iD8DBQFEjyQrqBhP+Twks7oRArnAAKCS99/tPofih3VT5r7rEPS3wcq5oQCfckFN
4uKl2tTrA802OsBlya53Vj8=
=d7Dx
-----END PGP SIGNATURE-----