The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
phpBannerExchange Unauthorized Password Recovery
------------------------------------------------------------------------
SUMMARY
<http://www.eschew.net/scripts/phpbe/2.0/> phpBannerExchange is "a
PHP/mySQL script that allows virtually anyone with minimal knowledge of
PHP, mySQL and web hosting to run their own banner exchange". RedTeam
identified an SQL injection that can be triggered due to a bad user input
sanitization in phpBannerExchange. It is possible to recover a password of
an user and thereby overtake his account.
DETAILS
Vulnerable Systems:
* phpBannerExchange version 2.0 RC5
Immune Systems:
* phpBannerExchange version 2.0 RC6
If a user forgot the password of his phpBannerExchange account, he can
reset it by supplying his email address. In "resetpw.php" the variable
$email contains this email address, which is then validated by a regular
expression.
[...]
42 if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*
(\.[a-z]{2,3})$", $email)){
[...]
Due to a bug in the implementation of eregi(), it is possible to pass
additional characters by using a Null Byte "\0". Because the backend of
eregi() is implemented in C, $email is treated as a zero-terminated
string. All characters starting from the Null Byte on will not be
recognized by the regular expression. Therefore you can pass an email
address, that includes the special character "'" to break the following
SQL query:
[...]
48 $get_info=mysql_query("select * from banneruser where
email='$email'");
[...]
After that, a new password for the chosen user is generated and sent via
[...]
68 mail($email,$usrsubject,$usrcontent,"From: $ownermail");
[...]
Note that mail() will treat $email as a zero-terminated string, too.
Thereby, an attacker can reset the password of a user account and send it
to his own email address.
Proof of Concept:
Use following URLs with your favorite web browser:
http://example.com/phpbe/resetpw.php?
submit=&email=attacker@example.com%00'or email='victim@example.com
to retrieve the password of the user with the email address
"victim@example.com" or
http://example.com/phpbe/resetpw.php?
submit=&email=attacker@example.com%00'or id='1
to retrieve the password of the user with user id "1".
Workaround:
Use PHP Magic Quotes.
Fix:
Upgrade to version 2.0 RC6
Security Risk:
The security risk is high because an attacker could gain access to an
administrator account and view and alter the database and hereby
compromise the whole application.
History:
2006-06-09 Discovery of the problem
2006-06-10 Vendor is informed
2006-06-12 Vendor released fixed version
ADDITIONAL INFORMATION
The information has been provided by
<mailto:release@redteam-pentesting.de> RedTeam Pentesting.
The original article can be found at:
<http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt>
http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
