-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product : phpRank Date : 10/10/2002 Author : Frank Denis <j@42-networks.com> ------------------------[ Product description ]------------------------ phpRank is a popular set of PHP script to easily create and maintain top-lists of web links. - From the official web site (http://www.phpRank.com/) : << phpRank Pro is the best way to increase traffic to your web site. What phpRank does is when someone joins your top list site and they bring you people from there site it will increase there site on your list out of whatever amount of people you would like to list, (top 10, 25, 32, 46 or whatever number you want!). >> Freeware versions (that doesn't seem to be distributed from the main site any more) have also been released and they are still widely used. ------------------------[ Vulnerabilities ]------------------------ phpRank has multiple vulnerabilities. * Cross-scripting in many places, including the main submit form : http://example.com/phprank/add.php?page=add&spass=1&name=2&siteurl=3&email=%3Cscript%3Ealert(42)%3C/script%3E Injection of javascript in the main list is simple, for instance through the banner URL : banurl=http://fake.url/%3E%3Cscript%3Ealert(%22Oh%20oh%22)%3C/script%3E Anyone can get ranked #1, use a phpRank site to force visitors to transparently vote for another top-list, etc. * Plaintext password storage. Administrator's password is stored plaintext in the source code, and in an HTTP cookie called "ap". no login has even to be supplied. Thanks to the previous cross-scripting vulnerabilities, the admin password can easily be retrieved. phpRank also stores all users passwords plaintext in a MySQL database. passwords are also sent plaintext through email to newly registered users and to the local administrator. * Missing error handling. No return value of MySQL functions is ever checked. Authentication code : <<< $mysql_link = mysql_connect($mysql_host, $mysql_user, $mysql_pass); sql = "SELECT spass FROM $mysql_table WHERE id = '$id'"; $result = mysql_db_query($mysql_base, $sql, $mysql_link); while ($p = mysql_fetch_array($result)) { $spass = $p[spass]; } [$upass is the password sent through an HTML form] if ($spass == $upass) { [reconnect to the mysql database] [user is authenticated] } >>> If the MySQL server is temporarely unavailable, $spass is empty, and anyone can log in as any user with an empty password. * Trivial generation of unique IDs. Every user is affected an unique ID, used as a login. That ID is a simple call to the time() function. It dramatically helps quiet cheating (for instance by inserting a self-voting javascript in a newly inserted banner), and brute-force attacks. * Missing authentication check. The update.php script doesn't check whether the user has supplied a valid password before updating the database when the "page" HTTP variable is set. Anyone can change any entry in the database without authentication, including passwords. http://example.com/phprank/update.php?page=update&name=zok&description=zok&siteurl=zok&banurl=zok&bh=42&bw=42&email=zok&spass=zok&id=1033913918 ------------------------[ Affected versions ]------------------------ All these vulnerabilities have been verified on phpRank 1.8 . Cross-scripting vulnerabilities have been verified in the professional version of phpRank. Other vulnerabilities haven't been verified. ------------------------[ Vendor status ]------------------------ phpRank author has been notified on September 3rd 2002. Mail bounced. A new mail was sent on 17 Sep 2002. That one was successfully delivered. No answer so far, no new release, no patch to fix these issues. - -- __ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\ __ \ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a> \' / \/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a> \/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9pcPQkmvFFxzepDkRAkphAJ0eQFmDAOH8PHO0argJp0aHMHOzJgCfbFgp WZHbR8Dc2mZ+Ng/GvSqTZZs= =ltQ8 -----END PGP SIGNATURE-----
