Hi, we are a group of Stanford researchers and we have recently developed an automated tool for detecting injection vulnerabilities in PHP. We ran our tool on the following list of software and found 99 potential security vulnerabilites (inspected bug reports attached below): e107 -- v0.7 myBloggie -- v2.1.3beta utopia NewPro -- v1.1.4 DCP Portal -- v6.1.1 PHP Webthings -- v1.4 patched The tool detects unsanitized user input that subsequently flow into SQL queries. With slight modifications, it can also find potential XSS vulnerabilities by inspecting strings echo'ed back as HTML output. Most of which seem remotely exploitable, and we have notified vendors of confirmed exploits. We decided not to publish exploits for the interest of web sites that have deployed such software. More detailed information, including proof of concept exploits (vendor notified, and since patched), about the tool can be obtained from the links below. We'll appreciate any comments and feedbacks regarding the tool and the results. Thanks, Yichen Xie For more information: http://glide.stanford.edu/yichen/research/sec.ps http://glide.stanford.edu/yichen/research/sec.pdf ========== PHP-fusion ========== ============== Utopia NewsPro ============== 8 potentially exploitable vulnerabilities ERROR: ./editnews.php:@main: _POST#g["newsid"] ---------------------------------------------- This error occurs at lines 24-25 in editnews.php. User input _POST["newsid"] may directly flow into the SQL query below, resulting in a potentially exploitable SQL injection vulnerability. ERROR: ./faq.php:@main: _GET#g["catid"] --------------------------------------- This error occurs at lines 61-62 in faq.php. We believe user input _GET["catid"] is improperly checked in the following line: the regular expression seem to only check the existence of a number. It is probably missing "^" and "$" that ensures "catid" _is_ a number. ERROR: ./faq.php:@main: _GET#g["question"] ------------------------------------------ Lines 107-108 in faq.php. Similar as above. ERROR: ./postnews.php:@main: _POST#g["poster"] ---------------------------------------------- Line 28: $newsposter is not validated before being passed into the query string at line 42. ERROR: ./templates.php:@main: _POST#g["tempid"] ----------------------------------------------- Line 33: $tempid is not validated before being passed into the query string at line 40. ERROR: ./users.php:@main: _GET#g["userid"] ------------------------------------------ Line 256: $userid is not properly validated: the regular expression at line 262 checks the existence of a number in $userid. Missing "^" and "$"? ERROR: ./users.php:@main: _POST#g["groupid"] -------------------------------------------- Line 31: $groupid is not validated before being passed into the query string at line 72. ERROR: ./users.php:@main: _POST#g["userid"] ------------------------------------------- Line 29: $userid is not validated before being passed into the query string at line 54. ====== e107 ====== ERROR: ./signup.php:@main: _POST#g["email"] ------------------------------------------- Line 256: malformed $_POST['email'] may cause SQL injection. ERROR: ./signup.php:@main: _POST#g["hideemail"] ----------------------------------------------- Line 336: malformed $_POST['hideemail'] may cause SQL injection. ERROR: ./signup.php:@main: _POST#g["image"] ------------------------------------------- Line 336: malformed $_POST['image'] may cause SQL injection. ERROR: ./signup.php:@main: _POST#g["realname"] ---------------------------------------------- Line 336: Similar as above. ERROR: ./signup.php:@main: _POST#g["signature"] ----------------------------------------------- Line 336: Similar as above. ERROR: ./signup.php:@main: _POST#g["timezone"] ---------------------------------------------- Line 336: Similar as above. ERROR: ./signup.php:@main: _POST#g["xupexist"] ---------------------------------------------- Line 336: Similar as above. ERROR: ./subcontent.php:@main: _POST#g["content_comment"] ERROR: ./subcontent.php:@main: _POST#g["content_rating"] ERROR: ./subcontent.php:@main: _POST#g["content_summary"] --------------------------------------------------------- Line 119: Similar as above ERROR: ./upload.php:@main: _POST#g["download_category"] ERROR: ./upload.php:@main: _POST#g["file_demo"] ------------------------------------------------------- Line 59 ERROR: ./usersettings.php:@main: _POST#g["email"] ------------------------------------------------- Line 201: validity check of _POST["email"] does not prevent SQL injection into query string at Line 205. ERROR: ./usersettings.php:@main: _POST#g["hideemail"] ----------------------------------------------------- Use of non-validated input _POST["hideemail"] at line 276. ERROR: ./usersettings.php:@main: _POST#g["user_timezone"] --------------------------------------------------------- Same as above. ERROR: ./usersettings.php:@main: _POST#g["user_xup"] ---------------------------------------------------- Same as above. =========== myBloggie =========== 16 potentially expoloitable vulnerabilities ERROR: ./login.php:@main: _POST#g["username"] --------------------------------------------- Def: Line 41; Use: line 65 (fixed by the recent patch) ERROR: ./add.php:@main: _POST#g["category"] ------------------------------------------- $cat_id defined at line 203 may cause SQL injection in query string at line 268. ERROR: ./addcat.php:@main: _POST#g["cat_desc"] ---------------------------------------------- $cat_desc defined at line 73, and passed into SQL query at line 79. ERROR: ./adduser.php:@main: _POST#g["level"] -------------------------------------------- $level defined at line 48, and passed into SQL query at line 74. ERROR: ./adduser.php:@main: _POST#g["user"] ------------------------------------------- $user defined at line 46, and used in query string at line 50. ERROR: ./del.php:@main: _GET#g["post_id"] ----------------------------------------- Def: line 35; Use: line 44 ERROR: ./delcat.php:@main: _GET#g["cat_id"] ------------------------------------------- Def: line 44; Use: line 52 ERROR: ./delcomment.php:@main: HTTP_GET_VARS#g["comment_id"] ------------------------------------------------------------ Line 35: inappropriate validation with "intval" ERROR: ./deluser.php:@main: _GET#g["id"] ---------------------------------------- Def: line 45; Use: line 53 ERROR: ./edit.php:@main: _GET#g["post_id"] ------------------------------------------ Def: line 31; Use: line 43, 45 ERROR: ./edit.php:@main: _POST#g["category"] -------------------------------------------- Def: line 195; Use: line 228 ERROR: ./editcat.php:@main: _GET#g["cat_id"] -------------------------------------------- Def: line 64; Use: line 66 ERROR: ./editcat.php:@main: _POST#g["cat_desc"] ----------------------------------------------- Def: line 83; Use: line 84 ERROR: ./edituser.php:@main: _GET#g["id"] ----------------------------------------- Def: line 47; Use: line 50 ERROR: ./edituser.php:@main: _POST#g["level"] --------------------------------------------- Def: line 94; Use: line 97, 103 ERROR: ./edituser.php:@main: _POST#g["user"] -------------------------------------------- Def: line 71; Use: line 97, 103 =============== PHP Webthings =============== 20 potentially exploitable SQL injection vulnerabilities ERROR: ./download.php:@main: _GET#g["ref"] ------------------------------------------ bug in function draw_download_categories (used in download.php), defined in modules/downloads/functions.php. $ref1 holds user input $_GET["ref"] (line 33) and used in query on line 41. ERROR: ./forum.php:@main: _GET#g["direction"] --------------------------------------------- bug occurs in function draw_fs_small (used in forum.php, line 231) defined in modules/downloads/functions.php. $direction holds user input $_GET['direction'] and is subsequently used in construction of SQL queries. ERROR: ./forum.php:@main: _POST#g["direction"] ---------------------------------------------- same as above. ERROR: ./forum.php:@main: _GET#g["forum"] ----------------------------------------- Line 22 in forum.php. ERROR: ./forum.php:@main: _GET#g["msg"] --------------------------------------- forum.php: Line 58. ERROR: ./forum.php:@main: _GET#g["sforum"] ------------------------------------------ bug occurs in function draw_fs_form (used in forum.php, line 186) defined in modules/downloads/functions.php. $forumcod is defined using $_GET["sforum"], and subsequently used in construction of SQL queries. ERROR: ./forum.php:@main: _POST#g["sforum"] ------------------------------------------- same as above ERROR: ./forum.php:@main: _POST#g["reason"] ------------------------------------------- modules/forum/movetopic.php: defined on line 74 and 80, used on line 90 ERROR: ./forum.php:@main: _REQUEST#g["forum"] --------------------------------------------- defined: forum.php: line 124. used: modules/forum/split.php: line 2 ERROR: ./forum.php:@main: _REQUEST#g["msg"] ------------------------------------------- defined: forum.php: line 122. used: modules/forum/split.php: line 2 ERROR: ./forum.php:@main: _REQUEST#g["subname"] ----------------------------------------------- defined: line 135, used line 139 ERROR: ./forum.php:@main: _REQUEST#g["toforum"] ----------------------------------------------- defined: forum.php: line 110 used: modules/forum/movetopic.php: line 62 ERROR: ./forum_edit.php:@main: _GET#g["msg"] -------------------------------------------- line 25 ERROR: ./forum_edit.php:@main: _GET#g["forum"] ---------------------------------------------- line 25 ERROR: ./forum_write.php:@main: _GET#g["forum"] ----------------------------------------------- invokes forum_edit.php, same as above. ERROR: ./forum_write.php:@main: _GET#g["msg"] --------------------------------------------- invokes forum_edit.php, same as above. ERROR: ./forum_write.php:@main: _POST#g["msg"] ---------------------------------------------- modules/forum/write.php: def: line 85, use line 88 ERROR: ./guestbook.php:@main: _POST#g["tekst"] ---------------------------------------------- modules/guestbook/functions.php: def:line 202, use: line 203 ERROR: ./index.php:@main: _REQUEST#g["menuoption"] -------------------------------------------------- def: index.php: line 7 use: core/theme.php: line 148 ERROR: ./myaccount.php:@main: _POST#g["sel_avatar"] --------------------------------------------------- def: line 186 use: line 195 ============ DCP Portal ============ ERROR: ./advertiser.php:@main: _POST#g["password"] -------------------------------------------------- Line 50 ERROR: ./advertiser.php:@main: _POST#g["username"] -------------------------------------------------- Line 50 ERROR: ./annoucement.php:@main: _GET#g["aid"] --------------------------------------------- Line 13 ERROR: ./calendar.php:@main: _COOKIE#g["dcp5_member_id"] -------------------------------------------------------- Def: line 23. Use: line 65-66 ERROR: ./calendar.php:@main: _POST#g["year"] -------------------------------------------- Def: line 38. Use: line 65-66 ERROR: ./calendar.php:@main: _REQUEST#g["agid"] ----------------------------------------------- Line 215-216 ERROR: ./calendar.php:@main: _REQUEST#g["day"] ---------------------------------------------- Def: line 38. Use: line 65-66 ERROR: ./calendar.php:@main: _REQUEST#g["day_s"] ------------------------------------------------ Line 209-210 ERROR: ./calendar.php:@main: _REQUEST#g["hour"] ----------------------------------------------- Line 209-210 ERROR: ./calendar.php:@main: _REQUEST#g["minute"] ------------------------------------------------- Line 209-210 ERROR: ./calendar.php:@main: _REQUEST#g["month"] ------------------------------------------------ Def: line 41. Use: line 65-66 ERROR: ./calendar.php:@main: _REQUEST#g["month_s"] -------------------------------------------------- Line 209-210 ERROR: ./calendar.php:@main: _REQUEST#g["year"] ----------------------------------------------- Def: line 41. Use: line 65-66 ERROR: ./calendar.php:@main: _REQUEST#g["year_s"] ------------------------------------------------- Line 209-210 ERROR: ./contents.php:@main: _GET#g["cid"] ------------------------------------------ Line 15 ERROR: ./forums.php:@main: _COOKIE#g["dcp5_member_id"] ------------------------------------------------------ Line 93, UserValid uses _COOKIE#g["dcp5_member_id"] in query. ERROR: ./forums.php:@main: _GET#g["bid"] ---------------------------------------- Line 87 ERROR: ./forums.php:@main: _GET#g["mid"] ---------------------------------------- Line 161 ERROR: ./forums.php:@main: _POST#g["mid"] ----------------------------------------- Line 221 ERROR: ./go.php:@main: _GET#g["bid"] ------------------------------------ Line 9 ERROR: ./golink.php:@main: _GET#g["lid"] ---------------------------------------- Line 9 ERROR: ./inbox.php:@main: _COOKIE#g["dcp5_member_id"] ----------------------------------------------------- Line 9, UserValid uses _COOKIE#g["dcp5_member_id"] in query. ERROR: ./inbox.php:@main: _GET#g["mid"] --------------------------------------- Line 239 ERROR: ./index.php:@main: _GET#g["catid"] ----------------------------------------- Line 234 ERROR: ./index.php:@main: _GET#g["cid"] --------------------------------------- Line 60 ERROR: ./index.php:@main: _GET#g["dcat"] ---------------------------------------- Line 306 ERROR: ./index.php:@main: _GET#g["dl"] -------------------------------------- Line 370 ERROR: ./index.php:@main: _GET#g["doc"] --------------------------------------- Line 328 ERROR: ./index.php:@main: _GET#g["lcat"] ---------------------------------------- Line 252 ERROR: ./index.php:@main: _GET#g["uid"] --------------------------------------- Line 538 ERROR: ./informer.php:@main: _COOKIE#g["dcp5_member_id"] -------------------------------------------------------- Line 9, UserValid ERROR: ./lostpassword.php:@main: _POST#g["email"] ------------------------------------------------- Line 91 ERROR: ./mycontents.php:@main: _COOKIE#g["dcp5_member_id"] ---------------------------------------------------------- Line 9, UserValid ERROR: ./news.php:@main: _GET#g["nid"] -------------------------------------- Line 13 ERROR: ./rate.php:@main: _GET#g["cid"] -------------------------------------- Line 9 ERROR: ./rate.php:@main: _GET#g["type"] --------------------------------------- Line 17 ERROR: ./rate.php:@main: _POST#g["rate"] ---------------------------------------- Line 17 ERROR: ./search.php:@main: _POST#g["q"] --------------------------------------- Line 20, 28, 36... ERROR: ./update.php:@main: _COOKIE#g["dcp5_member_id"] ------------------------------------------------------ Line 9
