Multiple vulnerabilities in phpRank

[Jedi/Sector One <j () pureftpd org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Product : phpRank
Date    : 10/10/2002
Author  : Frank Denis <j () 42-networks com>



   ------------------------[ Product description ]------------------------


phpRank is a popular set of PHP script to easily create and maintain
top-lists of web links.

- From the official web site (http://www.phpRank.com/) :

<<
phpRank Pro is the best way to increase traffic to your web site. What
phpRank does is when someone joins your top list site and they bring you
people from there site it will increase there site on your list out of
whatever amount of people you would like to list, (top 10, 25, 32, 46 or
whatever number you want!).
> >

Freeware versions (that doesn't seem to be distributed from the main site
any more) have also been released and they are still widely used.


     ------------------------[ Vulnerabilities ]------------------------
     

phpRank has multiple vulnerabilities.


 * Cross-scripting in many places, including the main submit form :
 
http://example.com/phprank/add.php?page=add&spass=1&name=2&siteurl=3&email=%3Cscript%3Ealert(42)%3C/script%3E

  Injection of javascript in the main list is simple, for instance through
the banner URL :
  
banurl=http://fake.url/%3E%3Cscript%3Ealert(%22Oh%20oh%22)%3C/script%3E

  Anyone can get ranked #1, use a phpRank site to force visitors to
transparently vote for another top-list, etc.


 * Plaintext password storage.
 
  Administrator's password is stored plaintext in the source code, and in an
HTTP cookie called "ap". no login has even to be supplied.

  Thanks to the previous cross-scripting vulnerabilities, the admin password
can easily be retrieved.

  phpRank also stores all users passwords plaintext in a MySQL database.

  passwords are also sent plaintext through email to newly registered users
and to the local administrator.


 * Missing error handling.
 
  No return value of MySQL functions is ever checked. Authentication code :

<<<
$mysql_link = mysql_connect($mysql_host, $mysql_user, $mysql_pass);
sql = "SELECT spass FROM $mysql_table WHERE id = '$id'";
$result = mysql_db_query($mysql_base, $sql, $mysql_link);
while ($p = mysql_fetch_array($result)) {
   $spass = $p[spass];
}
[$upass is the password sent through an HTML form]
if ($spass == $upass) {
   [reconnect to the mysql database]
   [user is authenticated]
}
> > >

  If the MySQL server is temporarely unavailable, $spass is empty, and
anyone can log in as any user with an empty password.


 * Trivial generation of unique IDs.
 
  Every user is affected an unique ID, used as a login.
  
  That ID is a simple call to the time() function. It dramatically helps quiet
cheating (for instance by inserting a self-voting javascript in a newly
inserted banner), and brute-force attacks.


 * Missing authentication check.
 
 The update.php script doesn't check whether the user has supplied a valid
password before updating the database when the "page" HTTP variable is set.

  Anyone can change any entry in the database without authentication,
including passwords.
  
http://example.com/phprank/update.php?page=update&name=zok&description=zok&siteurl=zok&banurl=zok&bh=42&bw=42&email=zok&spass=zok&id=1033913918


    ------------------------[ Affected versions ]------------------------
     

  All these vulnerabilities have been verified on phpRank 1.8 .
  
  Cross-scripting vulnerabilities have been verified in the professional
version of phpRank. Other vulnerabilities haven't been verified.


      ------------------------[ Vendor status ]------------------------
     

  phpRank author has been notified on September 3rd 2002. Mail bounced. A new
mail was sent on 17 Sep 2002. That one was successfully delivered. No answer
so far, no new release, no patch to fix these issues.

- -- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j () 42-Networks Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9pcPQkmvFFxzepDkRAkphAJ0eQFmDAOH8PHO0argJp0aHMHOzJgCfbFgp
WZHbR8Dc2mZ+Ng/GvSqTZZs=
=ltQ8
-----END PGP SIGNATURE-----