deV!L`z Clanportal - SQL Injection

2006.12.07
Credit: Tim Weber (scy-adv scytale de)
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-6339
CWE: CWE-89


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

/ -[061124a]- | deV!L`z Clanportal - SQL Injection | / S Y N O P S I S / =================' -( access: remote severity: high )- An SQL injection has been found in deV!L`z Clanportal, which allows any logged in user to grant herself admin privileges in the system. B A C K G R O U N D / =====================' deV!L`z Clanportal (short "DZCP") is a suite of PHP scripts that allow anybody to create a feature-rich website for her online gaming clan. A F F E C T E D V E R S I O N S / ===================================' verified on: 1.3.6 possibly vulnerable: <= 1.3.6 fixed in: 1.3.6.1 I M P A C T / =============' The attacker gains admin privileges in DZCP and is thus able to create and download a MySQL dump, upload files, post news, delete users etc. P R E R E Q U I S I T I E S / =============================' o the attacker needs to have an user account in the suite and be logged in o php.ini directive "magic_quotes_gpc" has to be disabled D E S C R I P T I O N / =======================' sites/index.php is not escaping the $_GET['show'] parameter, leading to an SQL injection. This can be used to pass any string to the $where parameter in DZCP's page() function. page(), in turn, is not checking that parameter, allowing a second SQL injection in an UPDATE statement on the "users" table to change arbitrary attributes in the calling user's tuple, including the "level" attribute, which, set to 4, grants the user administrator privileges. W O R K A R O U N D / =====================' Some possibilities: o Add a mysql_real_escape_string() around the $_GET parameter in the SQL query in sites/index.php. o Remove sites/index.php or make it inaccessible. o Quit using DZCP. I mean it! There are tons of other vulnerabilites just waiting to be exploited; some of them more severe than this one. IMHO, DZCP is just a chaotic bunch of vulnerabilities that, by some coincidence, happen to look like a clan portal. P R O O F O F C O N C E P T / =================================' Check if magic_quotes_gpc is enabled: http://<dzcp>/sites/index.php?show=' If a MySQL error appears or the script dies, it is disabled. Then: http://<dzcp>/sites/index.php?show=-1'+%55NION+%53ELECT+1,+'Admin+Panel ',+level%3d4,+waffe%3d'SQL+Injection',+2,+3,+' T I M E L I N E (CET) / ========================' 2006-11-23 23:05 started searching 24 0:35 exploited 14:20 advisory finished 17:31 informed vendor that any user can get admin privileges 25 23:00 full disclosure to vendor 27 14:36 hotfix available on vendor website 12-01 10:00 full disclosure to the general public A B O U T T H E A U T H O R / =================================' Tim Weber, computer science student at the University of Mannheim, Germany, currently looking for an internship at some IT security or pentesting company, can be reached via e-mail: scy-adv-061124a at the host scytale.de. T H A N K S / =============' o Kallista o yorn for showing me DZCP and the basics of SQL injections o the DZCP authors for the fun in secure.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top