Hi! Ok, another announce about a php application containing unslashed SQL-Queries and bad include/require statements. Several problems in 123tkshop ------------------------------------- # What is 123tkshop? 123tkshop is a ecommerce software written in php. It's providing a full featured online shop. More information are available at: <http://www.123tkshop.org/> #### include + NULL problem #### # Problem description There are several include statements which use variables passed by the user. So if register_globals is on and magic_quotes_gpc is off you are able to read any file on the webserver: function_foot_1.inc.php [...] include("styles/$designNo/footer.php"); [...] # So what's the problem with NULL? If $designNo contains NULL (aka \0 or %00) the include statement ignores everything after the NULL and includes the file. Here's some metacode explaining the behavior: foobar.php looks like this: <?php include("../".$input."blubb"); ?> Calling the file with the following parameter: foobar.php?input=bla%00bla results in (with enabled magic_quotes_gcp): <br /> <b>Warning</b>: Failed opening '../bla\0blablubb' for inclusion (include_path='.:/usr/local/lib/php') in <b>/home/user/public_html/foobar.php</b> on line <b>2</b><br /> This doesn't seem to be exploitable, but what happens, if magic_quotes_gcp is turned off (like on php.ini-recommened, for performance reasons, without pointing to THIS kind of problem)?: <br /> <b>Warning</b>: Failed opening '../bla' for inclusion (include_path='.:/usr/local/lib/php') in <b>/home/user/public_html/foobar.php</b> on line <b>2</b><br /> Huh?! Did you get it? Everything after NULL (%00) is ignored! So what can we do now? We can take a look at the avaiable users: foobar.php?input=../../../etc/passwd%00 Voila... You can open every file you want. Ok, not every file. It has to be readable by the http-user, like wwwrun or www. # And the solution? One can test, if a file exists with the function file_exists(). This function doesn't ignore the characters after NULL. On the other side, one could try to avoid using userdata to open a file. # Fix? The author released a new version (0.3.1) that checks _every_ file being included. You can download it at <http://www.123tkshop.org/>. If you aren't able to update an older version, enable "magic_quotes_gqc". See <http://php.net/security> for further information about securing php applications. #### missing addslashes() #### # Problem description A lot of data passed (there are just a few exeptions) to mysqld is NOT checked for control characters like ', " et al. So one is able to commit injected sql queries. The problem exists, when magic_quotes_gpc is turned off. function_describe_item1.inc.php is one of the dangerous files. For further information about dangerous sql queries see: * <http://www.php.net/manual/en/security.database.php#security.database.sql-injection>. * <http://www.google.com/search?q=sql+injection+problem> # And the solution? One can use addslashes() for _every_ data a user enters and is submitted to the database. Lazy people hope, that magic_quotes_gpc is enabled. Never expect, that an admin configured a webserver correct, try to start the security at application level. # Fix? The author will release a new version ASAP. ##### Credits ##### For the german-speaking folk: <http://bluephod.net/> -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
