Milkeyway Captive Portal versions 0.1 and 0.1.1 are vulnerable to many SQL injection and XSS vulnerabilities. Detailed POC included.
ac204592ba8d46b51a0cd05581ac6ff707420ab9e164e86a54872fef2b8f131e
Milkeyway Captive Portal Multiple Vulnerabilities
Name Multiple Vulnerabilities in Milkeyway Captive Portal
Systems Affected WebCalendar (any version, verified on 0.1 and 0.1.1)
Severity Medium Risk
Vendor sourceforge.net/projects/milkeyway
Advisory http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt
Author Francesco "aScii" Ongaro (ascii at katamail . com)
Date 20060316
I. BACKGROUND
Milkeyway is a software for the management and administration of
internet access within public structures and frameworks, where
the service supplying must be submitted to a scrupulous inspection.
II. DESCRIPTION
Nearly all SQL queries are vulnerable to SQL injection vulnerabilities.
There are also some XSS vulnerabilities.
III. ANALYSIS
Since there are 28 detected different vulnerabilities only an
abstract will be included in this mail, please refer to the complete
advisory aviable here:
http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt
1) LOGIN PAGE authenticate() SQL INJECTION
2) add_userIp() SQL INJECTION
3) updateTimeStamp() SQL INJECTION
4) authuser.php USER DELETE SQL INJECTION
5) delete_user() SQL INJECTION
6) authuser.php MODIFY USER modify_user() SQL INJECTION
7) authuser.php MULTIPLE XSS
8) authuser.php EDIT SQL INJECTION
9) authuser.php RELEASE USER SQL INJECTION
10) releaseUser() SQL INJECTION
11) authuser.php ORDERING SQL INJECTION
12) authgroup.php ADD GROUP SQL INJECTION
13) add_team() SQL INJECTION
14) authgroup.php DELETE GROUP SQL INJECTION
15) delete_team() SQL INJECTION
16) authgroup.php MODIFY TEAM SQL INJECTION
17) modify_team() SQL INJECTION
18) traffic.php MULTIPLE SQL INJECTION
19) userstatistics.php ADD USER SQL INJECTION
20) userstatistics.php DELETE USER SQL INJECTION
21) userstatistics.php MODIFY USER SQL INJECTION
22) userstatistics.php EDIT USER SQL INJECTION
23) userstatistics.php MULTIPLE XSS
24) userstatistics.php $_GET['username'] SQL INJECTION 1
25) userstatistics.php $_GET['username'] SQL INJECTION 2
26) chgpwd.php SQL INJECTION 1
27) chgpwd.php SQL INJECTION 2
28) logout.php SQL INJECTION
IV. DETECTION
Milkeyway 0.1 and 0.1.1 are vulnerable.
V. WORKAROUND
Input validation will fix the vulnerability.
Magic quotes ON will protect you against most of these injections
except chapter 11 (authuser.php ORDERING SQL INJECTION) where the
input has no single or double quotes around, making magic quotes
useless.
11) SQL is injectable by $_GET['filter']
---------------- in authuser.php -----------------
$orderingFilter = $_GET['filter'];
if ($orderingFilter == '') $orderBy ="order by uname ASC" ;
else $orderBy ="order by ".$orderingFilter." ".$direction;
$result = mysql_query("SELECT * FROM authuser ".$orderBy );
--------------------------------------------------
VI. VENDOR RESPONSE
Vendor has been contacted.
VII. CVE INFORMATION
No CVE at this time.
VIII. DISCLOSURE TIMELINE
20060301 Bug discovered
20060316 Vendor contacted
20060316 Advisory released
IX. CREDIT
ascii is credited with the discovery of this vulnerability.
X. LEGAL NOTICES
Copyright (c) 2005 Francesco "aScii" Ongaro
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
first sql injection ($_GET['date'])
----------------- in traffic.php -----------------
$act = $_GET['act'];
$idToProcess = $_GET['id'];
if ($act=='trafficDetails') {
$date = $_GET['date'];
[..CUT..]
$trafficQuery = "SELECT * FROM userData u where loginStartDate='".$date."' order by loginStartDate,loginStartTime ";
$result = mysql_query($trafficQuery);
--------------------------------------------------
second sql injection ($_GET['date'])
----------------- in traffic.php -----------------
$trafficByUser = "SELECT * FROM traffic where time <= '".$upper."' and time >= '".$lower."' and date='''.$date.'''";
$result = mysql_query($trafficByUser);
--------------------------------------------------
third sql injection ($_GET['id'])
----------------- in traffic.php -----------------
else if ($act=='groupDate'){
[..CUT..]
$trafficQuery = 'SELECT *,count(loginStartDate) FROM userData u where userId='.$idToProcess.' group by loginStartDate order by loginStartDate,loginStartTime';
$result = mysql_query($trafficQuery);
--------------------------------------------------
/milkeyway/admin/traffic.php?id=1&act=groupDate
^
19) userstatistics.php ADD USER SQL INJECTION
-------------- in userstatistics.php -------------
if (isset($_POST['action'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$team = $_POST['team'];
$level = $_POST['level'];
$status = $_POST['status'];
$action = $_POST['action'];
$ipAddress = $_POST['ipAddress'];
$ipAddress = $_POST['macAddress'];
} elseif (isset($_GET['act'])) {
$act = $_GET['act'];
[..CUT..]
if ($action == "Add") {
$situation = $user->add_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 2
--------------------------------------------------
20) userstatistics.php DELETE USER SQL INJECTION
-------------- in userstatistics.php -------------
if ($action=="Delete") {
$delete = $user->delete_user($username); // VULNERABLE, SEE POINT 5
--------------------------------------------------
21) userstatistics.php MODIFY USER SQL INJECTION
-------------- in userstatistics.php -------------
if ($action == "Modify") {
$update = $user->modify_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 6
--------------------------------------------------
22) userstatistics.php EDIT USER SQL INJECTION
-------------- in userstatistics.php -------------
if ($act == "Edit") {
$username = $_GET['username'];
$listusers = mysql_query("SELECT * FROM authuser u LEFT OUTER JOIN userData d on u.id=d.userid where u.uname='$username'");
--------------------------------------------------
23) userstatistics.php MULTIPLE XSS
for example the variable $username is taken an other time from GET and then printed
-------------- in userstatistics.php -------------
if ($act == "statistics") {
$username = $_GET['username'];
[..CUT..]
<? echo $username ?>
--------------------------------------------------
24) userstatistics.php $_GET['username'] SQL INJECTION 1
-------------- in userstatistics.php -------------
if ($act == "statistics") {
$username = $_GET['username'];
[..CUT..]
$result = mysql_query("SELECT id FROM authuser where uname = '$username'");
--------------------------------------------------
25) userstatistics.php $_GET['username'] SQL INJECTION 2
-------------- in userstatistics.php -------------
26) chgpwd.php MULTIPLE SQL INJECTION 1
-------------------- chgpwd.php ------------------
if (isset($_POST['submit'])){
$USERNAME = $_COOKIE['USERNAME'];
$PASSWORD = $_COOKIE['PASSWORD'];
$submit = $_POST['submit'];
$oldpasswd = $_POST['oldpasswd'];
$newpasswd = $_POST['newpasswd'];
$confirmpasswd = $_POST['confirmpasswd'];
[..CUT..]
$userdata = mysql_query("SELECT * FROM authuserWHERE uname='$USERNAME' and passwd='$PASSWORD'");
--------------------------------------------------
27) chgpwd.php MULTIPLE SQL INJECTION 2
-------------------- chgpwd.php ------------------
// If everything is ok, use auth class to modify the record
$update = $user->modify_user($USERNAME, $newpasswd, $check["team"], $check["level"], $check["status"]); // VULNERABLE, SEE CHAPTER 6
--------------------------------------------------
28) logout.php SQL INJECTION
-------------------- chgpwd.php ------------------
$username=$_GET['username'];
[..CUT..]
$utils->updateTimeStamp($username,"loginEndDate","CURRENT_DATE()");
$utils->updateTimeStamp($username,"loginEndTime","CURRENT_TIME()");
--------------------------------------------------
29) CONCLUSION
no conclusion. fuck em.
every function is bogous.
i hope you have magic_quotes on
Francesco 'ascii' Ongaro