SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#459565

paFileDB fails to properly sanitize "query" parameter in "pafiledb.php"

Overview

paFileDB works around the default "off" state for the "register_globals" security directive in PHP and then fails to initialize the "query" variable, which can be used to inject arbitrary SQL queries.

I. Description

"paFileDB is designed to allow webmasters have a database of files for download on their site."

This SQL injection vulnerability is one of eight vulnerabilities recently discussed in public forums affecting paFileDB. It works whether magic_quotes is on or not. Proof of concept code and simple examples are in circulation specific to this vulnerability. The following report identifies these vulnerabilities:
http://www.gulftech.org/?node=research&article_id=00082-06142005

The default value for the PHP directive register_globals changed from "on" to "off" in PHP 4.2.0. To quote PHP documentation available from http://www.php.net/register_globals/:

"When on, register_globals will inject (poison) your scripts will all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier."

Code near the beginning of paFileDB undermines the security benefits of the register_globals default "off" setting. It does so by registering all variables directly into the PHP global address space.

if (!@ini_get('register_globals')) {
extract($_GET);
extract($_POST);
extract($_COOKIE);
extract($_SERVER);
}

This specific vulnerability is the direct result of the above poor coding practice combined with a failure to initialize the "query" variable before use.

II. Impact

An attacker could inject arbitrary SQL queries, such as resetting the administrator password.

III. Solution

Upgrade to a version 3.1 downloaded after June 15, 2005 of the paFileDB distribution as it contains a fix for this specific vulnerability and a number of other security enhancements for initializing variable before use and sanitising user input.


Full code review and rewriting to remove the dependency on all passed parameters being in the global address space is also recommended. The current release as downloaded on 21 June, 2005 still contains the code to put all parameters into the global address space (see above).
Workaround
Restrict access to the paFile application to only trusted users. Restricting access can be achieved through network filtering and restricting access to internal users, and/or through web server access control mechanisms.

Systems Affected

VendorStatusDate NotifiedDate Updated
PHP ArenaVulnerable21-Jun-2005

References


http://www.gulftech.org/?node=research&article_id=00082-06142005
http://www.php.net/register_globals/

Credit

James Bercegay of the GulfTech Security Research Team is credited with discovering this vulnerability.

This document was written by Robert Mead.

Other Information

Date Public:2005-06-14
Date First Published:2005-06-21
Date Last Updated:2005-07-07
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:0.95
Document Revision:13

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2005 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader