[VIM] PwsPHP ugly mess

Steven M. Christey coley at mitre.org
Tue Feb 28 20:48:41 EST 2006 

I'm drained by the whole experience, so I'll let CVE's internal
analysis fields speak for themselves.

Summary: multiple PwsPHP issues seem to have been disclosed and munged
together under one roof.  This appears to stem from multiple
grep-and-gripe reports by papipsycho, but this cannot be proven due to
non-public raw source information in the associated BID, which seems
to combine 2 separate issues, although one of them doesn't seem to
have an obvious attack vector based on casual source inspection.
Hooray for the provenance problem!

Why oh why did I dare to ask myself the wrong question at the wrong
time? :)

- Steve

P.S. On the post-proactive vendor front, looks like the vendor is
asking for security auditors for PwsPHP :
http://www.pwsphp.com/index.php?mod=news&ac=commentaires&id=280


======================================================
Name: CVE-2006-0668
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0668
Announced: 20060209
Flaw: sql-inject
Reference: MISC:http://www.securityfocus.com/bid/16567/exploit
Reference: BID:16567
Reference: URL:http://www.securityfocus.com/bid/16567
Reference: SECUNIA:19023
Reference: URL:http://secunia.com/advisories/19023

SQL injection vulnerability in index.php in PwsPHP 1.2.3 allows remote
attackers to execute arbitrary SQL commands via the id parameter,
possibly in message.php in the espace_membre module.  NOTE: the
provenance of this information is unknown; the details are obtained
solely from third party information.


Analysis:
ACCURACY: the exploit tab in BID:16567 includes the demonstration URL
"index.php?mod=espace_membre&ac=message&id=999999[SQL]".  Source code
inspection shows that index.php uses the "mod" and "ac" parameters to
construct an include statement for modules/espace_membre/message.php.
The use of an 'id' parameter could not be found using casual
inspection.

ACCURACY: the fully functioning exploit code that is linked in
BID:16567 is for profil.php/aff_news_form, which appears to be a
different vulnerability.


======================================================
Name: CVE-2006-0942
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0942
Announced: 20060209
Flaw: sql-inject
Reference: MISC:http://downloads.securityfocus.com/vulnerabilities/exploits/PwsPHP_SQL_Inj.php
Reference: BID:16567
Reference: URL:http://www.securityfocus.com/bid/16567

SQL injection vulnerability in profil.php in PwsPHP 1.2.3, and
possibly earlier versions, allows remote attackers to execute
arbitrary SQL commands via the aff_news_form parameter, a different
vulnerability than CVE-2005-1509.


Analysis:
ACCURACY: the exploit tab in BID:16567 includes an example URL that
seems to involve espace_membre, but that may be for a different issue.
The actual functioning program included in BID:16567 is for this
profil.php/aff_news_form issue.
ACCURACY: A source code review of profil.php in 1.2.3 shows the use of
aff_news_form in an input form, but the input has a maximum length
specifier, possibly indicating attempts at client-side restrictions;.
On resubmission to the same profile.php, $aff_news_form is directly
inserted into an SQL query, as called by the reqmysql function, which
primarily calls mysql_query().


======================================================
Name: CVE-2006-0943
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0943
Announced: 20060209
Flaw: sql-inject
Reference: BUGTRAQ:20060225 PwsPHP Injection SQL on Index.php
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/426084/100/0/threaded
Reference: BUGTRAQ:20060226 Re: PwsPHP Injection SQL on Index.php
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/426183/100/0/threaded
Reference: MISC:http://www.pwsphp.com/index.php?mod=news&ac=commentaires&id=278

SQL injection vulnerability in the sondages module in index.php in
PwsPHP 1.2.3 allows remote attackers to execute arbitrary SQL commands
via the id parameter to index.php.


Analysis:
ACKNOWLEDGEMENT: The PwsPHP forum with the fix is in another language,
but source inspection of the suggested patch shows that
modules/sondages/index.php was fixed on Feb 27 (2 days after
disclosure) and cleanses the id parameter using intval().

More information about the VIM mailing list