SecurityvulnsSECURITYVULNS:DOC:12294phpsurveyor Multiple Vulnerabilities
- phpsurveyor Multiple Vulnerabilities -
-= http://colander.altervista.org/advisory/phpsurveyor.txt =-
-= phpsurveyor =-
Omnipresent
April 18, 2006
Vunerability(s):
SQL Injection - Insecure Password Storage
Product:
phpsurveyor0.995
Vendor:
Description of product:
PHPSurveyor is a set of PHP scripts that interact with MySQL to develop surveys, publish surveys and collect responses
to surveys. Once a survey has been created it can be published as an online survey (displayed as single questions, group
by group or all in one page) or you can use a dataentry system for administration of paper-based versions of the survey.
PHPSurveyor can produce 'branching' surveys (set conditions on whether individual questions will display), can vary the
look and feel of your survey through a templating system and can provide basic statistical analysis of your survey results.
PHPSurveyor includes the capacity to generate individualised 'tokens' - so if you have a list of people you want to invite
to participate in a survey you can issue each one with a token, and they will be able to access the survey using that token.
This allows for quite good quality control of your surveys.
Vulnerability / Exploit:
There are some Vulnerabilities in phpsurveyor.
The first vulnerability is Insecure Password Storage. If an attacker can gain access to the server, can read in config.php
the username and the password of admin user in clear! Is better use an md5 hash to avoid this problem.
// Site Info
$sitename = "PHPSurveyor"; // The official name of the site (appears in the Window title)
$scriptname = "admin.php"; // The name of the admin script (can be changed to the experimental admin
//interface index.php)
$accesscontrol = 1; // make 0 for no access control
$defaultuser = "admin"; // This is the default username when security is first turned on
$defaultpass = "password"; // This is the default password for when security is first turned on
An attacker can read, again in config.php, username and password in clear to access to the DB. Is better use an md5 hash
to avoid this problem.
// === Basic Setup
$databaselocation = "localhost"; // Network location of your MySQL Database
$databaseport = "3306"; // The port of your MySQL Database (3306 is default)
$databasename = "phpsurveyor"; // The name of the database that we will create
$databaseuser = "root"; // The name of a user with rights to create db (or if db already
//exists, then rights within that db)
$databasepass = ""; // Password of db user
$databasetabletype = "MyISAM"; // Default table type (only used if creating db automatically through script -eg
//"MyISAM" or "InnoDB"
$dbprefix = ""; // A global prefix that can be added to all PHPSurveyor tables. Use this
//if you are sharing
There is also some SQL Injection vulnerability.
The input passed to the "sid" parameter to the SQL Query is not properly sanitised so, an attacker can exploit it by
injecting arbitrary SQL code.
There is also a bug in save.php, that can allow an attacker to inject arbitrary SQL code.
The exploitabile code is:
if (isset($source))
{
//Check that the required fields have been completed.
$errormsg="";
if (!isset($_POST['savename']) || !$_POST['savename']) {$errormsg.=_SAVENONAME."<br />\n";}
if (!isset($_POST['savepass']) || !$_POST['savepass']) {$errormsg.=_SAVENOPASS."<br />\n";}
if (!isset($_POST['savepass2']) || !$_POST['savepass2']){$errormsg.=_SAVENOPASS2."<br />\n";}
// modified logic so that it correctly checks to see if (savepass != savepass2)
// isset(savepass) and isset(savepass2) have already been checked and do not
// need to be checked again
if ($_POST['savepass'] != $_POST['savepass2'])
{$errormsg.=_SAVENOMATCH."<br />\n";}
if (!$errormsg && !isset($_SESSION['savename']))
{
//All the fields are correct. Now make sure there's not already a matching saved item
$query = "SELECT * FROM {$dbprefix}saved_control\n"
."WHERE sid=$surveyid\n"
."AND identifier='".$_POST['savename']."'\n"
."AND access_code='".md5($_POST['savepass'])."'\n";
$result = mysql_query($query) or die("Error checking for duplicates!<br />$query<br />".mysql_error());
if (mysql_num_rows($result) > 0)
{
$errormsg.=_SAVEDUPLICATE."<br />\n";
}
}
If $source and $surveyid are setted correctly an attacker can exploit this vuln by injecting arbitrary SQL code because
the variable savename is not properly sanitised.
An attacker can inject SQL code into savename variable.
In functions updateAssessment if surveyid and dbprefix are setted correctly an attacker can inject SQL arbitrary code by
inject into id variable, because that variable is not properly sanitised.
function updateAssessment($surveyid, $dbprefix) {
$query = "UPDATE {$dbprefix}assessments
SET scope='".$_POST['scope']."',
gid=".$_POST['assessment_gid'].",
name='".auto_escape($_POST['name'])."',
minimum='".$_POST['minimum']."',
maximum='".$_POST['maximum']."',
message='".auto_escape($_POST['message'])."',
link='".auto_escape($_POST['link'])."'
WHERE id=".$_POST['id'];
$result=mysql_query($query);
}
Also in this function:
function doAssessment($surveyid)
{
global $dbprefix, $thistpl;
$query = "SELECT * FROM {$dbprefix}assessments
WHERE sid=$surveyid
ORDER BY scope";
An attacker can inject arbitrary SQL code if he can set $surveyid like:
surveyid = '1' OR '1' = '1'
The attacker can see the table assessments of DB:
Table structure for table `assessments`
CREATE TABLE `assessments` (
`id` int(11) NOT NULL auto_increment,
`sid` int(11) NOT NULL default '0',
`scope` varchar(5) NOT NULL default '',
`gid` int(11) NOT NULL default '0',
`name` text NOT NULL,
`minimum` varchar(50) NOT NULL default '',
`maximum` varchar(50) NOT NULL default '',
`message` text NOT NULL,
`link` text NOT NULL,
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=1 ;
Credits:
omnipresent
[email protected]