Monday, June 23, 2014

Multiple vulnerabilities in bugs.php.net, pecl.php.net, master.php.net and gtk.php.net

Another "sprint code review" resulted in many vulnerabilities in *.php.net sites.

Short summary:
  • bugs.php.net: SQLi, XSS
  • pecl.php.net: SQLi, XSS
  • master.php.net: SQLi, XSS, possible server-side command execution
  • gtk.php.net: SQLi, XSS, auth bypass

Reported: 03.05.2014
Fixed: 11.06.2014

Details:

bugs.php.net

  • SQL Injection in get_resolve_reasons() function from functions.php (project variable) 
    function get_resolve_reasons($project = false)
{
 global $dbh;

 $where = '';

 if ($project !== false)
  $where.= "WHERE (project = '{$project}' OR project = '')";

 $resolves = $variations = array();
 $res = $dbh->prepare("SELECT * FROM bugdb_resolves $where")->execute(array());
 ...

  • 2. XSS in bug.php ($_POST['in']['email']) 
    ...
<input type="text" size="40" maxlength="40" name="in[email]" value="<?php echo isset($_POST['in']) && isset($_POST['in']['email']) ? $_POST['in']['email'] : ''; ?>" />
...

pecl.php.net

  • XSS in account-edit.php (handle parameter), because of bad regexp validation 
    ...
if ($handle && !preg_match('@[0-9A-Za-z_]{2,20}$@', $handle)) {
    response_header('Error:');
    report_error("No valid handle given!");
    response_footer();
    exit();
}
...
    Regular expression used in preg_match is checking only string ending, not the beggining. Possible example: account-edit.php?handle=<script>alert('XSS')</script>AAAA

  • SQL injection in package-delete.php (id parameter) 
    ...
    $query = "SELECT p.name, r.version FROM packages p, releases r
                WHERE p.id = r.package AND r.package = '" . $_GET['id'] . "'";

    $row = $dbh->getAll($query);
...

  • XSS in package-delete.php (id parameter)

  • Some other minor issues I've noticed:
    • Small typo (should be $_GET instead of $GET) in package-new.php:
      ...
if(isset($_GET[$arg])) $_GET[$arg] = htmlspecialchars($GET[$arg], ENT_QUOTES);
...
    • User with password that match /^[a-z0-9]{32}$/ is unable to log in. 
      ...
function auth_verify($user, $passwd)
...
   // Check if the passwd is already md5()ed
   if (preg_match('/^[a-z0-9]{32}$/', $passwd)) {
    $crypted = $passwd;
   } else {
    $crypted = md5($passwd);
   }
...

master.php.net

  • Possible serveside command execution in network/api.php 
    ...
$res = db_query("SELECT * FROM mirrors LEFT JOIN country ON mirrors.cc = country.id WHERE mirrors.hostname='".mysql_real_escape_string($_GET['host'])."' LIMIT 0,1");
$row = mysql_fetch_assoc($res);
...
$cname = $row['cname'];
$ip_info = str_replace(PHP_EOL,'; ',trim(`host $cname | grep -i address`));
$ping_stats = nl2br(trim(`ping -c1 -i1 -w1 $cname | grep -v PING | grep -v "ping statistics"`));
$ip_addr = gethostbyname($_GET['host']);
...
    Although cname variable comes from database it's not properly sanitized by escapeshell* function(s).

  • Many SQL injections in forgot.php, entry/svn-account.php, manage/event.php, manage/mirrors.php. However they're not exploitable because of magic_quotes_gpc enabled in production environment (but in other places user input is sanitized anyway)

  • SQL injection in manage/user-notes.php (id parameter) 
    ...
$sql = 'DELETE FROM votes WHERE votes.note_id = ' . real_clean($id);
...
    include/functions.inc: 
    ...
function real_clean($var)      { return mysql_real_escape_string($var); }
...
    Neither magic_quotes_gpc nor real_clean() protect from specific injection (like: '1 or 1=1').

  • XSS in manage/event.php (action parameter)
    • ...
$valid_vars = array('id', 'action','in','begin','max','search','order','full','unapproved');
foreach($valid_vars as $k) {
    $$k = isset($_REQUEST[$k]) ? $_REQUEST[$k] : false;
}
...
if ($id && $action) {
  switch ($action) {
 ...
  default:
    warn("that action ('$action') is not understood.");
  }
}
...
    functions.inc: 
    ...
function format_warn($message) { return "
    $message
    "; }
function warn($message)        { echo format_warn($message); }
...

gtk.php.net

Note: First of all the whole site in production environment seems to be deprecated and many things don't work.
  • Authorization bypass:

    In most places authorization is done by: 
    ...
if ($user = get_user()) {
...

    cvs-auth.inc: 
    ...
function get_user() {

 if (isset($_COOKIE['PHP-GTK'])) {
  list($user, $pass) = explode(':', base64_decode($_COOKIE['PHP-GTK']));
  $stored = file_get_contents(DB_DIR."/$user.txt");
  if ($pass == $stored) {
   return $user;
  }
 }
 return false;
}
...

    Setting cookie to base64_encode("user_that_do_not_exists:") will bypass authorization because of used "==" operator ('' == false -> true).

  • Multiple SQL injections in manual/browse-notes.php, manual/browse.php

  • XSS in manual/browse-notes.php, params: $_GET['let'] and $_GET['y']

  • manual1/* and apps/* vulnerabilities but it seems they're broken/disabled in production environment (propably because of mysql_connect timeout)


Commits with fixes:

http://git.php.net/?p=web/bugs.git;a=commit;h=e353f1f83f51adb95a5fc981e0ee37d2374602d5
http://git.php.net/?p=web/bugs.git;a=commit;h=46a74d234c026fea0928764e940a729801d604b5
http://git.php.net/?p=web/gtk.git;a=commit;h=7a62171c7ed46085d3d1244abea28e7a3e65ad11
http://git.php.net/?p=web/gtk.git;a=commit;h=7230b03244974298af17507a36f34d10a9d777a0
http://git.php.net/?p=web/gtk.git;a=commit;h=723496f654da0b63c128d46a67c3952aed195a83
http://git.php.net/?p=web/pecl.git;a=commit;h=219bbdfce56c8cfca91189fa8a9bb2df6158d02c
http://git.php.net/?p=web/pecl.git;a=commit;h=0a30bab1c4763ebf5a36120afd4039b23da5a427
http://git.php.net/?p=web/pecl.git;a=commit;h=5251a3f8518a600a07d3ceacc2606c167dd0fba8
http://git.php.net/?p=web/pecl.git;a=commit;h=2a1f91d8016ddc4be5156743f49e922a2ab6a937
http://git.php.net/?p=web/master.git;a=commit;h=e024ef1a36b36785955816a1ee95c9c498ad0550
http://git.php.net/?p=web/master.git;a=commit;h=9404bdc83562397e78c35e6daf2c91bf8a886f60
http://git.php.net/?p=web/master.git;a=commit;h=efa8fa543bd8ebb808407be4f2dcc7c3204a615b
http://git.php.net/?p=web/master.git;a=commit;h=41e4d4aff29ccbf0ab3ac756e344d73ba1f4e0c2
http://git.php.net/?p=web/master.git;a=commit;h=1b0dac3d83739242e2cca66ea533bc03e5553ada
http://git.php.net/?p=web/master.git;a=commit;h=0ac39f3249b9c06cea6e50fa985f447cba92a309
http://git.php.net/?p=web/master.git;a=commit;h=e7dca7e9d57a29cf93c2a5673c0d8acd275e4c1e
http://git.php.net/?p=web/master.git;a=commit;h=b75fa9c0ebdcf7da01c2d68500c2de13a5ea2d83
http://git.php.net/?p=web/master.git;a=commit;h=f1ba778df22b8e54a3e71d728ad7cf06be3c502d
Posted by at
Labels: , , , , , , , ,

3 comments:

  1. Staedtler Pensil Terbaik Untuk AnakDecember 8, 2016 at 12:37 PM

    This comment has been removed by a blog administrator.

    ReplyDelete
  2. Nurul HikmahDecember 29, 2016 at 11:07 PM

    This comment has been removed by a blog administrator.

    ReplyDelete
  3. Pakar SeoApril 23, 2017 at 8:07 PM

    wonderful issues altogether, you simply received
    a brand new reader. What would you suggest in regards to your publish that you
    just made a few days in the past? Any sure?

    ReplyDelete

Subscribe to: Post Comments (Atom)