what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Milkeyway-0.1.1.txt

Milkeyway-0.1.1.txt
Posted Mar 20, 2006
Authored by Francesco Ongaro | Site ush.it

Milkeyway Captive Portal versions 0.1 and 0.1.1 are vulnerable to many SQL injection and XSS vulnerabilities. Detailed POC included.

tags | exploit, vulnerability, sql injection
SHA-256 | ac204592ba8d46b51a0cd05581ac6ff707420ab9e164e86a54872fef2b8f131e

Milkeyway-0.1.1.txt

Change Mirror Download
Milkeyway Captive Portal Multiple Vulnerabilities

Name Multiple Vulnerabilities in Milkeyway Captive Portal
Systems Affected WebCalendar (any version, verified on 0.1 and 0.1.1)
Severity Medium Risk
Vendor sourceforge.net/projects/milkeyway
Advisory http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt
Author Francesco "aScii" Ongaro (ascii at katamail . com)
Date 20060316

I. BACKGROUND

Milkeyway is a software for the management and administration of
internet access within public structures and frameworks, where
the service supplying must be submitted to a scrupulous inspection.

II. DESCRIPTION

Nearly all SQL queries are vulnerable to SQL injection vulnerabilities.
There are also some XSS vulnerabilities.

III. ANALYSIS

Since there are 28 detected different vulnerabilities only an
abstract will be included in this mail, please refer to the complete
advisory aviable here:

http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt

1) LOGIN PAGE authenticate() SQL INJECTION
2) add_userIp() SQL INJECTION
3) updateTimeStamp() SQL INJECTION
4) authuser.php USER DELETE SQL INJECTION
5) delete_user() SQL INJECTION
6) authuser.php MODIFY USER modify_user() SQL INJECTION
7) authuser.php MULTIPLE XSS
8) authuser.php EDIT SQL INJECTION
9) authuser.php RELEASE USER SQL INJECTION
10) releaseUser() SQL INJECTION
11) authuser.php ORDERING SQL INJECTION
12) authgroup.php ADD GROUP SQL INJECTION
13) add_team() SQL INJECTION
14) authgroup.php DELETE GROUP SQL INJECTION
15) delete_team() SQL INJECTION
16) authgroup.php MODIFY TEAM SQL INJECTION
17) modify_team() SQL INJECTION
18) traffic.php MULTIPLE SQL INJECTION
19) userstatistics.php ADD USER SQL INJECTION
20) userstatistics.php DELETE USER SQL INJECTION
21) userstatistics.php MODIFY USER SQL INJECTION
22) userstatistics.php EDIT USER SQL INJECTION
23) userstatistics.php MULTIPLE XSS
24) userstatistics.php $_GET['username'] SQL INJECTION 1
25) userstatistics.php $_GET['username'] SQL INJECTION 2
26) chgpwd.php SQL INJECTION 1
27) chgpwd.php SQL INJECTION 2
28) logout.php SQL INJECTION

IV. DETECTION

Milkeyway 0.1 and 0.1.1 are vulnerable.

V. WORKAROUND

Input validation will fix the vulnerability.
Magic quotes ON will protect you against most of these injections
except chapter 11 (authuser.php ORDERING SQL INJECTION) where the
input has no single or double quotes around, making magic quotes
useless.

11) SQL is injectable by $_GET['filter']

---------------- in authuser.php -----------------
$orderingFilter = $_GET['filter'];
if ($orderingFilter == '') $orderBy ="order by uname ASC" ;
else $orderBy ="order by ".$orderingFilter." ".$direction;
$result = mysql_query("SELECT * FROM authuser ".$orderBy );
--------------------------------------------------

VI. VENDOR RESPONSE

Vendor has been contacted.

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20060301 Bug discovered
20060316 Vendor contacted
20060316 Advisory released

IX. CREDIT

ascii is credited with the discovery of this vulnerability.

X. LEGAL NOTICES

Copyright (c) 2005 Francesco "aScii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.




first sql injection ($_GET['date'])

----------------- in traffic.php -----------------

$act = $_GET['act'];
$idToProcess = $_GET['id'];
if ($act=='trafficDetails') {
$date = $_GET['date'];
[..CUT..]
$trafficQuery = "SELECT * FROM userData u where loginStartDate='".$date."' order by loginStartDate,loginStartTime ";
$result = mysql_query($trafficQuery);

--------------------------------------------------

second sql injection ($_GET['date'])

----------------- in traffic.php -----------------

$trafficByUser = "SELECT * FROM traffic where time <= '".$upper."' and time >= '".$lower."' and date='''.$date.'''";
$result = mysql_query($trafficByUser);

--------------------------------------------------

third sql injection ($_GET['id'])

----------------- in traffic.php -----------------

else if ($act=='groupDate'){
[..CUT..]
$trafficQuery = 'SELECT *,count(loginStartDate) FROM userData u where userId='.$idToProcess.' group by loginStartDate order by loginStartDate,loginStartTime';
$result = mysql_query($trafficQuery);

--------------------------------------------------

/milkeyway/admin/traffic.php?id=1&act=groupDate
^

19) userstatistics.php ADD USER SQL INJECTION

-------------- in userstatistics.php -------------

if (isset($_POST['action'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$team = $_POST['team'];
$level = $_POST['level'];
$status = $_POST['status'];
$action = $_POST['action'];
$ipAddress = $_POST['ipAddress'];
$ipAddress = $_POST['macAddress'];
} elseif (isset($_GET['act'])) {
$act = $_GET['act'];

[..CUT..]

if ($action == "Add") {
$situation = $user->add_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 2

--------------------------------------------------

20) userstatistics.php DELETE USER SQL INJECTION

-------------- in userstatistics.php -------------

if ($action=="Delete") {
$delete = $user->delete_user($username); // VULNERABLE, SEE POINT 5

--------------------------------------------------

21) userstatistics.php MODIFY USER SQL INJECTION

-------------- in userstatistics.php -------------

if ($action == "Modify") {
$update = $user->modify_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 6

--------------------------------------------------

22) userstatistics.php EDIT USER SQL INJECTION

-------------- in userstatistics.php -------------

if ($act == "Edit") {
$username = $_GET['username'];
$listusers = mysql_query("SELECT * FROM authuser u LEFT OUTER JOIN userData d on u.id=d.userid where u.uname='$username'");

--------------------------------------------------

23) userstatistics.php MULTIPLE XSS

for example the variable $username is taken an other time from GET and then printed

-------------- in userstatistics.php -------------

if ($act == "statistics") {
$username = $_GET['username'];

[..CUT..]

<? echo $username ?>

--------------------------------------------------

24) userstatistics.php $_GET['username'] SQL INJECTION 1

-------------- in userstatistics.php -------------

if ($act == "statistics") {
$username = $_GET['username'];

[..CUT..]

$result = mysql_query("SELECT id FROM authuser where uname = '$username'");

--------------------------------------------------

25) userstatistics.php $_GET['username'] SQL INJECTION 2

-------------- in userstatistics.php -------------



26) chgpwd.php MULTIPLE SQL INJECTION 1

-------------------- chgpwd.php ------------------

if (isset($_POST['submit'])){
$USERNAME = $_COOKIE['USERNAME'];
$PASSWORD = $_COOKIE['PASSWORD'];
$submit = $_POST['submit'];
$oldpasswd = $_POST['oldpasswd'];
$newpasswd = $_POST['newpasswd'];
$confirmpasswd = $_POST['confirmpasswd'];
[..CUT..]
$userdata = mysql_query("SELECT * FROM authuserWHERE uname='$USERNAME' and passwd='$PASSWORD'");

--------------------------------------------------

27) chgpwd.php MULTIPLE SQL INJECTION 2

-------------------- chgpwd.php ------------------

// If everything is ok, use auth class to modify the record
$update = $user->modify_user($USERNAME, $newpasswd, $check["team"], $check["level"], $check["status"]); // VULNERABLE, SEE CHAPTER 6

--------------------------------------------------

28) logout.php SQL INJECTION

-------------------- chgpwd.php ------------------

$username=$_GET['username'];
[..CUT..]
$utils->updateTimeStamp($username,"loginEndDate","CURRENT_DATE()");
$utils->updateTimeStamp($username,"loginEndTime","CURRENT_TIME()");

--------------------------------------------------

29) CONCLUSION

no conclusion. fuck em.
every function is bogous.

i hope you have magic_quotes on

Francesco 'ascii' Ongaro



Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close