Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: web5310.htm

PHPProjekt multiple remote vulnerabilities



25th Apr 2002 [SBWID-5310]
COMMAND

	PHPProjekt multiple remote vulnerabilities

SYSTEMS AFFECTED

	All versions below 3.2

PROBLEM

	Ulf Harnhammar [ulfh@update.uu.se] found the  following  vulnerabilities
	:
	

	1) Some of the scripts in the system require that  the  user  is  logged
	in, while others don\'t.  The  system  differentiates  between  them  by
	checking the current  URL  in  the  variable  $PHP_SELF  to  see  if  it
	contains strings like \"sms\" (the name  of  one  of  the  scripts  that
	don\'t  require  logging  in  contains  that   string).   Unfortunately,
	$PHP_SELF includes the PATH_INFO part of a request. This means  that  we
	can fool the system into thinking that we are accessing  a  script  that
	doesn\'t need logging in, while in fact we are accessing a  script  that
	does. This is done by constructing a URL like
	

	http://www.somehost.com/phprojekt/mail/mail_send.php/sms

	

	where the PATH_INFO part is \"/sms\".
	

	2) The upload functions in the system  don\'t  check  if  the  variables
	related to an upload actually were set by uploading a file  or  if  they
	are normal POST data. This can be used to  make  the  system  treat  any
	file it can read, like \"/etc/passwd\", as the uploaded data.
	

	3)  Many  SQL  statements  in  the  system  include  user  data  without
	enclosing it in apostrophes or quotes. This means that  much  more  data
	than intended can  be  deleted  or  changed.  If  the  system  uses  the
	parameter \"id\" in the string \"UPDATE  table  SET  name=\'Ulf\'  WHERE
	intTableID=$id\", giving \"id\" the value \"intTableID\" means  that  we
	will end up executing the  statement  \"UPDATE  table  SET  name=\'Ulf\'
	WHERE intTableID=intTableID\". This statement will change all  names  in
	the table to Ulf.
	

	4) Some of the scripts that should require logging  in  never  check  if
	you are in fact logged in. This means that a  person  with  insufficient
	privileges can view or edit data in the system,  by  posting  the  right
	data to those scripts.
	

	5) Files are accessed without proper checking of their  file  names  for
	slashes and dots. This means that we  can  read  files  outside  of  the
	PHProjekt     system     by      entering      file      names      like
	\"../../../../../etc/passwd\".

SOLUTION

	Get version 3.2 from http://www.phprojekt.com/


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH