Excuse my ignorance, or currently tired state, but where is the actual tool located? I can find the paper OK. Thanks. --A On 11 Dec 2005 21:17:25 -0000, php-checker@xxxxxxxxxxxxxxxxxx <php-checker@xxxxxxxxxxxxxxxxxx> wrote: > Hi, we are a group of Stanford researchers and we have recently > developed an automated tool for detecting injection vulnerabilities in > PHP. We ran our tool on the following list of software and found 99 > potential security vulnerabilites (inspected bug reports attached > below): > > e107 -- v0.7 > myBloggie -- v2.1.3beta > utopia NewPro -- v1.1.4 > DCP Portal -- v6.1.1 > PHP Webthings -- v1.4 patched > > The tool detects unsanitized user input that subsequently flow into > SQL queries. With slight modifications, it can also find potential XSS > vulnerabilities by inspecting strings echo'ed back as HTML output. > > Most of which seem remotely exploitable, and we have notified vendors > of confirmed exploits. We decided not to publish exploits for the > interest of web sites that have deployed such software. > > More detailed information, including proof of concept exploits (vendor > notified, and since patched), about the tool can be obtained from the > links below. > > We'll appreciate any comments and feedbacks regarding the tool and the > results. > > Thanks, > Yichen Xie > > For more information: > > http://glide.stanford.edu/yichen/research/sec.ps > http://glide.stanford.edu/yichen/research/sec.pdf > > ========== > PHP-fusion > ========== > > ============== > Utopia NewsPro > ============== > > 8 potentially exploitable vulnerabilities > > ERROR: ./editnews.php:@main: _POST#g["newsid"] > ---------------------------------------------- > This error occurs at lines 24-25 in editnews.php. User input > _POST["newsid"] may directly flow into the SQL query below, resulting > in a potentially exploitable SQL injection vulnerability. > > ERROR: ./faq.php:@main: _GET#g["catid"] > --------------------------------------- > This error occurs at lines 61-62 in faq.php. We believe user input > _GET["catid"] is improperly checked in the following line: the regular > expression seem to only check the existence of a number. It is > probably missing "^" and "$" that ensures "catid" _is_ a number. > > ERROR: ./faq.php:@main: _GET#g["question"] > ------------------------------------------ > Lines 107-108 in faq.php. Similar as above. > > ERROR: ./postnews.php:@main: _POST#g["poster"] > ---------------------------------------------- > Line 28: $newsposter is not validated before being passed into the > query string at line 42. > > ERROR: ./templates.php:@main: _POST#g["tempid"] > ----------------------------------------------- > Line 33: $tempid is not validated before being passed into the query > string at line 40. > > ERROR: ./users.php:@main: _GET#g["userid"] > ------------------------------------------ > Line 256: $userid is not properly validated: the regular expression > at line 262 checks the existence of a number in $userid. Missing "^" > and "$"? > > ERROR: ./users.php:@main: _POST#g["groupid"] > -------------------------------------------- > Line 31: $groupid is not validated before being passed into the query > string at line 72. > > ERROR: ./users.php:@main: _POST#g["userid"] > ------------------------------------------- > Line 29: $userid is not validated before being passed into the query > string at line 54. > > ====== > e107 > ====== > > ERROR: ./signup.php:@main: _POST#g["email"] > ------------------------------------------- > Line 256: malformed $_POST['email'] may cause SQL injection. > > ERROR: ./signup.php:@main: _POST#g["hideemail"] > ----------------------------------------------- > Line 336: malformed $_POST['hideemail'] may cause SQL injection. > > ERROR: ./signup.php:@main: _POST#g["image"] > ------------------------------------------- > Line 336: malformed $_POST['image'] may cause SQL injection. > > ERROR: ./signup.php:@main: _POST#g["realname"] > ---------------------------------------------- > Line 336: Similar as above. > > ERROR: ./signup.php:@main: _POST#g["signature"] > ----------------------------------------------- > Line 336: Similar as above. > > ERROR: ./signup.php:@main: _POST#g["timezone"] > ---------------------------------------------- > Line 336: Similar as above. > > ERROR: ./signup.php:@main: _POST#g["xupexist"] > ---------------------------------------------- > Line 336: Similar as above. > > ERROR: ./subcontent.php:@main: _POST#g["content_comment"] > ERROR: ./subcontent.php:@main: _POST#g["content_rating"] > ERROR: ./subcontent.php:@main: _POST#g["content_summary"] > --------------------------------------------------------- > Line 119: Similar as above > > ERROR: ./upload.php:@main: _POST#g["download_category"] > ERROR: ./upload.php:@main: _POST#g["file_demo"] > ------------------------------------------------------- > Line 59 > > ERROR: ./usersettings.php:@main: _POST#g["email"] > ------------------------------------------------- > Line 201: validity check of _POST["email"] does not prevent SQL > injection into query string at Line 205. > > ERROR: ./usersettings.php:@main: _POST#g["hideemail"] > ----------------------------------------------------- > Use of non-validated input _POST["hideemail"] at line 276. > > ERROR: ./usersettings.php:@main: _POST#g["user_timezone"] > --------------------------------------------------------- > Same as above. > > ERROR: ./usersettings.php:@main: _POST#g["user_xup"] > ---------------------------------------------------- > Same as above. > > =========== > myBloggie > =========== > > 16 potentially expoloitable vulnerabilities > > ERROR: ./login.php:@main: _POST#g["username"] > --------------------------------------------- > Def: Line 41; Use: line 65 (fixed by the recent patch) > > ERROR: ./add.php:@main: _POST#g["category"] > ------------------------------------------- > $cat_id defined at line 203 may cause SQL injection in query string at > line 268. > > ERROR: ./addcat.php:@main: _POST#g["cat_desc"] > ---------------------------------------------- > $cat_desc defined at line 73, and passed into SQL query at line 79. > > ERROR: ./adduser.php:@main: _POST#g["level"] > -------------------------------------------- > $level defined at line 48, and passed into SQL query at line 74. > > ERROR: ./adduser.php:@main: _POST#g["user"] > ------------------------------------------- > $user defined at line 46, and used in query string at line 50. > > ERROR: ./del.php:@main: _GET#g["post_id"] > ----------------------------------------- > Def: line 35; Use: line 44 > > ERROR: ./delcat.php:@main: _GET#g["cat_id"] > ------------------------------------------- > Def: line 44; Use: line 52 > > ERROR: ./delcomment.php:@main: HTTP_GET_VARS#g["comment_id"] > ------------------------------------------------------------ > Line 35: inappropriate validation with "intval" > > ERROR: ./deluser.php:@main: _GET#g["id"] > ---------------------------------------- > Def: line 45; Use: line 53 > > ERROR: ./edit.php:@main: _GET#g["post_id"] > ------------------------------------------ > Def: line 31; Use: line 43, 45 > > ERROR: ./edit.php:@main: _POST#g["category"] > -------------------------------------------- > Def: line 195; Use: line 228 > > ERROR: ./editcat.php:@main: _GET#g["cat_id"] > -------------------------------------------- > Def: line 64; Use: line 66 > > ERROR: ./editcat.php:@main: _POST#g["cat_desc"] > ----------------------------------------------- > Def: line 83; Use: line 84 > > ERROR: ./edituser.php:@main: _GET#g["id"] > ----------------------------------------- > Def: line 47; Use: line 50 > > ERROR: ./edituser.php:@main: _POST#g["level"] > --------------------------------------------- > Def: line 94; Use: line 97, 103 > > ERROR: ./edituser.php:@main: _POST#g["user"] > -------------------------------------------- > Def: line 71; Use: line 97, 103 > > =============== > PHP Webthings > =============== > > 20 potentially exploitable SQL injection vulnerabilities > > ERROR: ./download.php:@main: _GET#g["ref"] > ------------------------------------------ > bug in function draw_download_categories (used in download.php), > defined in modules/downloads/functions.php. $ref1 holds user input > $_GET["ref"] (line 33) and used in query on line 41. > > ERROR: ./forum.php:@main: _GET#g["direction"] > --------------------------------------------- > bug occurs in function draw_fs_small (used in forum.php, line 231) > defined in modules/downloads/functions.php. $direction holds > user input $_GET['direction'] and is subsequently used in construction > of SQL queries. > > ERROR: ./forum.php:@main: _POST#g["direction"] > ---------------------------------------------- > same as above. > > ERROR: ./forum.php:@main: _GET#g["forum"] > ----------------------------------------- > Line 22 in forum.php. > > ERROR: ./forum.php:@main: _GET#g["msg"] > --------------------------------------- > forum.php: Line 58. > > ERROR: ./forum.php:@main: _GET#g["sforum"] > ------------------------------------------ > bug occurs in function draw_fs_form (used in forum.php, line 186) > defined in modules/downloads/functions.php. $forumcod is defined using > $_GET["sforum"], and subsequently used in construction of SQL queries. > > ERROR: ./forum.php:@main: _POST#g["sforum"] > ------------------------------------------- > same as above > > ERROR: ./forum.php:@main: _POST#g["reason"] > ------------------------------------------- > modules/forum/movetopic.php: defined on line 74 and 80, used on line > 90 > > ERROR: ./forum.php:@main: _REQUEST#g["forum"] > --------------------------------------------- > defined: forum.php: line 124. > used: modules/forum/split.php: line 2 > > ERROR: ./forum.php:@main: _REQUEST#g["msg"] > ------------------------------------------- > defined: forum.php: line 122. > used: modules/forum/split.php: line 2 > > ERROR: ./forum.php:@main: _REQUEST#g["subname"] > ----------------------------------------------- > defined: line 135, used line 139 > > ERROR: ./forum.php:@main: _REQUEST#g["toforum"] > ----------------------------------------------- > defined: forum.php: line 110 > used: modules/forum/movetopic.php: line 62 > > ERROR: ./forum_edit.php:@main: _GET#g["msg"] > -------------------------------------------- > line 25 > > ERROR: ./forum_edit.php:@main: _GET#g["forum"] > ---------------------------------------------- > line 25 > > ERROR: ./forum_write.php:@main: _GET#g["forum"] > ----------------------------------------------- > invokes forum_edit.php, same as above. > > ERROR: ./forum_write.php:@main: _GET#g["msg"] > --------------------------------------------- > invokes forum_edit.php, same as above. > > ERROR: ./forum_write.php:@main: _POST#g["msg"] > ---------------------------------------------- > modules/forum/write.php: def: line 85, use line 88 > > ERROR: ./guestbook.php:@main: _POST#g["tekst"] > ---------------------------------------------- > modules/guestbook/functions.php: def:line 202, use: line 203 > > ERROR: ./index.php:@main: _REQUEST#g["menuoption"] > -------------------------------------------------- > def: index.php: line 7 > use: core/theme.php: line 148 > > ERROR: ./myaccount.php:@main: _POST#g["sel_avatar"] > --------------------------------------------------- > def: line 186 > use: line 195 > > ============ > DCP Portal > ============ > ERROR: ./advertiser.php:@main: _POST#g["password"] > -------------------------------------------------- > Line 50 > > ERROR: ./advertiser.php:@main: _POST#g["username"] > -------------------------------------------------- > Line 50 > > ERROR: ./annoucement.php:@main: _GET#g["aid"] > --------------------------------------------- > Line 13 > > ERROR: ./calendar.php:@main: _COOKIE#g["dcp5_member_id"] > -------------------------------------------------------- > Def: line 23. Use: line 65-66 > > ERROR: ./calendar.php:@main: _POST#g["year"] > -------------------------------------------- > Def: line 38. Use: line 65-66 > > ERROR: ./calendar.php:@main: _REQUEST#g["agid"] > ----------------------------------------------- > Line 215-216 > > ERROR: ./calendar.php:@main: _REQUEST#g["day"] > ---------------------------------------------- > Def: line 38. Use: line 65-66 > > ERROR: ./calendar.php:@main: _REQUEST#g["day_s"] > ------------------------------------------------ > Line 209-210 > > ERROR: ./calendar.php:@main: _REQUEST#g["hour"] > ----------------------------------------------- > Line 209-210 > > ERROR: ./calendar.php:@main: _REQUEST#g["minute"] > ------------------------------------------------- > Line 209-210 > > ERROR: ./calendar.php:@main: _REQUEST#g["month"] > ------------------------------------------------ > Def: line 41. Use: line 65-66 > > ERROR: ./calendar.php:@main: _REQUEST#g["month_s"] > -------------------------------------------------- > Line 209-210 > > ERROR: ./calendar.php:@main: _REQUEST#g["year"] > ----------------------------------------------- > Def: line 41. Use: line 65-66 > > ERROR: ./calendar.php:@main: _REQUEST#g["year_s"] > ------------------------------------------------- > Line 209-210 > > ERROR: ./contents.php:@main: _GET#g["cid"] > ------------------------------------------ > Line 15 > > ERROR: ./forums.php:@main: _COOKIE#g["dcp5_member_id"] > ------------------------------------------------------ > Line 93, UserValid uses _COOKIE#g["dcp5_member_id"] in query. > > ERROR: ./forums.php:@main: _GET#g["bid"] > ---------------------------------------- > Line 87 > > ERROR: ./forums.php:@main: _GET#g["mid"] > ---------------------------------------- > Line 161 > > ERROR: ./forums.php:@main: _POST#g["mid"] > ----------------------------------------- > Line 221 > > ERROR: ./go.php:@main: _GET#g["bid"] > ------------------------------------ > Line 9 > > ERROR: ./golink.php:@main: _GET#g["lid"] > ---------------------------------------- > Line 9 > > ERROR: ./inbox.php:@main: _COOKIE#g["dcp5_member_id"] > ----------------------------------------------------- > Line 9, UserValid uses _COOKIE#g["dcp5_member_id"] in query. > > ERROR: ./inbox.php:@main: _GET#g["mid"] > --------------------------------------- > Line 239 > > ERROR: ./index.php:@main: _GET#g["catid"] > ----------------------------------------- > Line 234 > > ERROR: ./index.php:@main: _GET#g["cid"] > --------------------------------------- > Line 60 > > ERROR: ./index.php:@main: _GET#g["dcat"] > ---------------------------------------- > Line 306 > > ERROR: ./index.php:@main: _GET#g["dl"] > -------------------------------------- > Line 370 > > ERROR: ./index.php:@main: _GET#g["doc"] > --------------------------------------- > Line 328 > > ERROR: ./index.php:@main: _GET#g["lcat"] > ---------------------------------------- > Line 252 > > ERROR: ./index.php:@main: _GET#g["uid"] > --------------------------------------- > Line 538 > > ERROR: ./informer.php:@main: _COOKIE#g["dcp5_member_id"] > -------------------------------------------------------- > Line 9, UserValid > > ERROR: ./lostpassword.php:@main: _POST#g["email"] > ------------------------------------------------- > Line 91 > > ERROR: ./mycontents.php:@main: _COOKIE#g["dcp5_member_id"] > ---------------------------------------------------------- > Line 9, UserValid > > ERROR: ./news.php:@main: _GET#g["nid"] > -------------------------------------- > Line 13 > > ERROR: ./rate.php:@main: _GET#g["cid"] > -------------------------------------- > Line 9 > > ERROR: ./rate.php:@main: _GET#g["type"] > --------------------------------------- > Line 17 > > ERROR: ./rate.php:@main: _POST#g["rate"] > ---------------------------------------- > Line 17 > > ERROR: ./search.php:@main: _POST#g["q"] > --------------------------------------- > Line 20, 28, 36... > > ERROR: ./update.php:@main: _COOKIE#g["dcp5_member_id"] > ------------------------------------------------------ > Line 9 >
