Full Disclosure mailing list archives
VWar 1.6.1 R2 Multiple Remote Vulnerabilities
From: Darren McDonald <athena () dmcdonald net>
Date: Sun, 22 Aug 2010 17:25:27 +0100
Back in April 2008 I found a bunch of vulnerabilities in PHP clan management system, however the project had just changed hands. Since then the new project leader has been assuring me that new secure release which fixed all the found issues was just around the corner. Over two years later I remember I'm still hanging on to these issues, so I think it is time to release them, patch or not. The SQL injection issue was released on http://www.securityfocus.com/bid/29001 back in May 2008, as project reverted to an older version which was not vulnerable to this issue. Here is the orginial list of findings. Best, Renski A copy of this document can be found at dmcdonald.net/vwar.txt 1. SQL Injection 1.1 Summary An SQL Injection vulnerability has been discovered in the article rating system in http://mydomain.com/vwar/article.php This issue could be used by an attacker to deface articles, deny service to other users (DoS), and other SQL Injection related issues. 1.2 Technical Details The bug itself is in vwar/article.php, line 44 39 if (is_numeric($GPC["rate"])){ 40 if ($GPC["ratearticleselect"] && $GPC["ratearticleselect"] <= 6){ 41 42 $vwardb->query("UPDATE vwar".$n."_article 43 SET 44 articleratingpoints = articleratingpoints+".$GPC["ratearticleselect"].", 45 articlerated = articlerated+1 46 WHERE articleid = '".$GPC["rate"]."'"); 47 48 $redirecturl = "article.php?articleid=".$GPC["rate"]; 49 include ($vwar_root . "includes/get_header.php"); 50 eval("\$vwartpl->output(\"".$vwartpl->get("message_confirmation")."\");"); 51 include ($vwar_root . "includes/get_footer.php"); 52 exit(); 53 } else { 54 ... A proof of concept can be seen in the following post request which results in the main body of the article being replaced with the text 'NGS TEST' POST /vwar/article.php?rate=1 HTTP/1.1 Host: mydomain.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://mydomain.com/vwar/article.php?articleid=1 Content-Type: application/x-www-form-urlencoded Content-Length: 64 ratearticleselect=5, article = char(78,71,83,32,84,69,83,84) It is also possible to cause vwar to run out of memory when attempting to display the article by setting ratearticleselect to a high enough value, for example; ratearticleselect=5%2b999999 when the article in question is requested by a user, vwar will run out of memory attempting to generate html containing vast numbers of IMG tags to display the star rating. 1.3 Workaround There is no known workaround for this issue. 2. Stored Cross Site Scripting (XSS) 2.1 Summary Five entry points for stored XSS have been found in the following locations http://mydomain.com/vwar/challenge.php http://mydomain.com/vwar/joinus.php http://mydomain.com/vwar/admin/admin.php?action=finishwar&warid=1 http://mydomain.com/vwar/profile.php However, there are likely to be more as vwar uses a common set of text parsers to protect again XSS and SQL code injection. This issue can be used to attack other users of the vwar system, including the administrators, as data inputed on these forms is often sent for administrator approval. The results can include session highjacking, which would allow an attacker to take gain admin access. 2.2 Technical Details Issue 1: http://mydomain.com/vwar/challenge.php - Additional Information input field Issue 2: http://mydomain.com/vwar/joinus.php - Additional Information input field Issue 3: http://mydomain.com/vwar/admin/admin.php?action=finishwar&warid=1 - War Report input field Issue 4: http://mydomain.com/vwar/profile.php - Nick input field Issue 5: http://mydomain.com/vwar/joinus.php - Contact information input field The Vwar system filters out <script> tag to prevent XSS, but allows image (IMG) tags, where javascript can be executed on the 'onload', 'onerror', and similar events. If so, as these forms are often sent to users there is the potential for an attacker to high-jack the session of another user, including a user with administrator access. A proof of concept which work with all five issue can be seen by entering the follow html in the vulnerable fields <IMG src='' onerror=alert(document.cookie)> 2.3 Workaround Risk from issues 1, 2, 3, and 5 can be mitigated by setting turning the following settings to 'Off' in the adminstrators settings page. HTML Code (Default On) Enable Challenge Requests (Default On) Enable Join Requests (Default On) There is no known workaround for issue 4. 3. Broken Access Controls 3.1 Summary There is lack of access controls in http://mydomain.com/vwar/popup.phpin the print view system which allows an attacker to view articles normally restricted to users of the system. 3.2 Technical Details It is possible to access member only news posts by using the printnews action though the newsid field in popup.php. For example, assuming article 3 is hidden from public view this following url will allow access to a user who has not logged in. http://mydomain.com/vwar/popup.php?action=printnews&newsid=3 where as http://mydomain.com/vwar/news.php?newsid=3 and http://mydomain.com/vwar/news.php correctly do not return the news article unless requested by a valid user. 3.3 Workaround There is no known workaround for this issue. 4. Weak Password Generation 4.1 Summary VWar has a fault with it's random password generation function which is used during account creation and the forgotten password functionality. Passwords generated this way are highly likely be one of a set of 60 passwords. Vwar has no account lock out system in place to stop an attacker attempting to brute force a password of a valid user, meaning that an attacker with an automated tool can gain access to an account with a randomly generated password in only a few seconds. 4.2 Technical Details The bug is in vwar/includes/functions_common.php on line 724 716 function createRandomPassword ($passlen=15,$chars="") 717 { 718 $chars = trim($chars); 719 if(empty($chars)) $chars = "aAb0Bc\$CdD1eEfF2gGh%3HiIj§J4kKl5Lm6MnNo7&OpPqQrR6sStTuUvV9wWxXyYzZ§$%&"; 720 721 $charlen = strlen($chars); 722 for ($i = 0; $i < $passlen; $i++) 723 { 724 mt_srand(date("s", time() + $i * 4567)); 725 $password .= substr($chars,mt_rand(1,$charlen),1); 726 } 727 728 return $password; 729 } The mt_srand function is seeded with the number of seconds of the current system time, a limited set of 60 ('00' to '59'). As the seed predetermines the password which will be generated by this function, it is high likely that the password will be one of a set of only 60. It is possible (although unlikely) that createRandomPassword could run during the transition of one second to the next, meaning there is a total of 420 possible password which could be generated. With the designed user enumeration in http://mydomain.com/vwar/admin/index.php?login=1 and other locations combined with the forgotten password functionality makes it trival to gain access to any account 4.3 Workaround Users with default or reset passwords should be encouraged to reset them manually to new secure passwords. However 5. Static Session Cookies 5.1 Summary VWar's session cookies are static, meaning that a user will always be given the same sesion cookie. VWar will also allow authentication based solely on this cookie. If an attacker obtainers a users session cookie (trival using finding 2), session time outs and the logout function will not disrupt an attacker's activities. 5.2 Technical Details The session cookie is created by running the php function md5 on the users md5 hashed password, causing the session id to be static. 5.3 Workaround There is no known workaround for this issue.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- VWar 1.6.1 R2 Multiple Remote Vulnerabilities Darren McDonald (Aug 23)