Milkeyway Captive Portal Multiple Vulnerabilities Name Multiple Vulnerabilities in Milkeyway Captive Portal Systems Affected WebCalendar (any version, verified on 0.1 and 0.1.1) Severity Medium Risk Vendor sourceforge.net/projects/milkeyway Advisory http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt Author Francesco "aScii" Ongaro (ascii at katamail . com) Date 20060316 I. BACKGROUND Milkeyway is a software for the management and administration of internet access within public structures and frameworks, where the service supplying must be submitted to a scrupulous inspection. II. DESCRIPTION Nearly all SQL queries are vulnerable to SQL injection vulnerabilities. There are also some XSS vulnerabilities. III. ANALYSIS Since there are 28 detected different vulnerabilities only an abstract will be included in this mail, please refer to the complete advisory aviable here: http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt 1) LOGIN PAGE authenticate() SQL INJECTION 2) add_userIp() SQL INJECTION 3) updateTimeStamp() SQL INJECTION 4) authuser.php USER DELETE SQL INJECTION 5) delete_user() SQL INJECTION 6) authuser.php MODIFY USER modify_user() SQL INJECTION 7) authuser.php MULTIPLE XSS 8) authuser.php EDIT SQL INJECTION 9) authuser.php RELEASE USER SQL INJECTION 10) releaseUser() SQL INJECTION 11) authuser.php ORDERING SQL INJECTION 12) authgroup.php ADD GROUP SQL INJECTION 13) add_team() SQL INJECTION 14) authgroup.php DELETE GROUP SQL INJECTION 15) delete_team() SQL INJECTION 16) authgroup.php MODIFY TEAM SQL INJECTION 17) modify_team() SQL INJECTION 18) traffic.php MULTIPLE SQL INJECTION 19) userstatistics.php ADD USER SQL INJECTION 20) userstatistics.php DELETE USER SQL INJECTION 21) userstatistics.php MODIFY USER SQL INJECTION 22) userstatistics.php EDIT USER SQL INJECTION 23) userstatistics.php MULTIPLE XSS 24) userstatistics.php $_GET['username'] SQL INJECTION 1 25) userstatistics.php $_GET['username'] SQL INJECTION 2 26) chgpwd.php SQL INJECTION 1 27) chgpwd.php SQL INJECTION 2 28) logout.php SQL INJECTION IV. DETECTION Milkeyway 0.1 and 0.1.1 are vulnerable. V. WORKAROUND Input validation will fix the vulnerability. Magic quotes ON will protect you against most of these injections except chapter 11 (authuser.php ORDERING SQL INJECTION) where the input has no single or double quotes around, making magic quotes useless. 11) SQL is injectable by $_GET['filter'] ---------------- in authuser.php ----------------- $orderingFilter = $_GET['filter']; if ($orderingFilter == '') $orderBy ="order by uname ASC" ; else $orderBy ="order by ".$orderingFilter." ".$direction; $result = mysql_query("SELECT * FROM authuser ".$orderBy ); -------------------------------------------------- VI. VENDOR RESPONSE Vendor has been contacted. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20060301 Bug discovered 20060316 Vendor contacted 20060316 Advisory released IX. CREDIT ascii is credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2005 Francesco "aScii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. first sql injection ($_GET['date']) ----------------- in traffic.php ----------------- $act = $_GET['act']; $idToProcess = $_GET['id']; if ($act=='trafficDetails') { $date = $_GET['date']; [..CUT..] $trafficQuery = "SELECT * FROM userData u where loginStartDate='".$date."' order by loginStartDate,loginStartTime "; $result = mysql_query($trafficQuery); -------------------------------------------------- second sql injection ($_GET['date']) ----------------- in traffic.php ----------------- $trafficByUser = "SELECT * FROM traffic where time <= '".$upper."' and time >= '".$lower."' and date='''.$date.'''"; $result = mysql_query($trafficByUser); -------------------------------------------------- third sql injection ($_GET['id']) ----------------- in traffic.php ----------------- else if ($act=='groupDate'){ [..CUT..] $trafficQuery = 'SELECT *,count(loginStartDate) FROM userData u where userId='.$idToProcess.' group by loginStartDate order by loginStartDate,loginStartTime'; $result = mysql_query($trafficQuery); -------------------------------------------------- /milkeyway/admin/traffic.php?id=1&act=groupDate ^ 19) userstatistics.php ADD USER SQL INJECTION -------------- in userstatistics.php ------------- if (isset($_POST['action'])) { $username = $_POST['username']; $password = $_POST['password']; $team = $_POST['team']; $level = $_POST['level']; $status = $_POST['status']; $action = $_POST['action']; $ipAddress = $_POST['ipAddress']; $ipAddress = $_POST['macAddress']; } elseif (isset($_GET['act'])) { $act = $_GET['act']; [..CUT..] if ($action == "Add") { $situation = $user->add_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 2 -------------------------------------------------- 20) userstatistics.php DELETE USER SQL INJECTION -------------- in userstatistics.php ------------- if ($action=="Delete") { $delete = $user->delete_user($username); // VULNERABLE, SEE POINT 5 -------------------------------------------------- 21) userstatistics.php MODIFY USER SQL INJECTION -------------- in userstatistics.php ------------- if ($action == "Modify") { $update = $user->modify_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 6 -------------------------------------------------- 22) userstatistics.php EDIT USER SQL INJECTION -------------- in userstatistics.php ------------- if ($act == "Edit") { $username = $_GET['username']; $listusers = mysql_query("SELECT * FROM authuser u LEFT OUTER JOIN userData d on u.id=d.userid where u.uname='$username'"); -------------------------------------------------- 23) userstatistics.php MULTIPLE XSS for example the variable $username is taken an other time from GET and then printed -------------- in userstatistics.php ------------- if ($act == "statistics") { $username = $_GET['username']; [..CUT..] -------------------------------------------------- 24) userstatistics.php $_GET['username'] SQL INJECTION 1 -------------- in userstatistics.php ------------- if ($act == "statistics") { $username = $_GET['username']; [..CUT..] $result = mysql_query("SELECT id FROM authuser where uname = '$username'"); -------------------------------------------------- 25) userstatistics.php $_GET['username'] SQL INJECTION 2 -------------- in userstatistics.php ------------- 26) chgpwd.php MULTIPLE SQL INJECTION 1 -------------------- chgpwd.php ------------------ if (isset($_POST['submit'])){ $USERNAME = $_COOKIE['USERNAME']; $PASSWORD = $_COOKIE['PASSWORD']; $submit = $_POST['submit']; $oldpasswd = $_POST['oldpasswd']; $newpasswd = $_POST['newpasswd']; $confirmpasswd = $_POST['confirmpasswd']; [..CUT..] $userdata = mysql_query("SELECT * FROM authuserWHERE uname='$USERNAME' and passwd='$PASSWORD'"); -------------------------------------------------- 27) chgpwd.php MULTIPLE SQL INJECTION 2 -------------------- chgpwd.php ------------------ // If everything is ok, use auth class to modify the record $update = $user->modify_user($USERNAME, $newpasswd, $check["team"], $check["level"], $check["status"]); // VULNERABLE, SEE CHAPTER 6 -------------------------------------------------- 28) logout.php SQL INJECTION -------------------- chgpwd.php ------------------ $username=$_GET['username']; [..CUT..] $utils->updateTimeStamp($username,"loginEndDate","CURRENT_DATE()"); $utils->updateTimeStamp($username,"loginEndTime","CURRENT_TIME()"); -------------------------------------------------- 29) CONCLUSION no conclusion. fuck em. every function is bogous. i hope you have magic_quotes on Francesco 'ascii' Ongaro