Jump to content

CMS backend: test for vulnerabilities and security problems

happypete

By happypete
in Beta Test Your Stuff!

 Share

Recommended Posts

happypete Member

happypete

Posted
Posted

Hi Experts,

 

I'm designing the back-end of a CMS and not being a great programmer would like someone to test the script for vulnerabilities, in particular:

 

  • image uploads + photo gallery in general
  • availability calendar (the calendar isn't showing on the index.php page but can be viewed/updated by clicking the 'Edit Availbility Calendar' link
  • WYSIWYG inputs
  • Google Map

 

URL: http://bit.ly/QfI6od

Verification: http://bit.ly/SdI4Rr

 

If you find any vulnerabilities then hinds on getting them sorted would be very much appreciated

 

Thanks a lot,

 

Pete

 

 

darkfreaks Advanced Member

darkfreaks

Posted
Posted

CRLF injection/HTTP response splitting

Vulnerability description

This script is possibly vulnerable to CRLF injection attacks.

 

HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure.

HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.

Affected items

/accounts/adminupdate.php

/accounts/calendarupdate.php

The impact of this vulnerability

Is it possible for a remote attacker to inject custom HTTP headers. For example, an attacker can inject session cookies or HTML code. This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation.

How to fix this vulnerability

You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers. [/color

 

Links:

Find & Fix CSRF

what is CSRF?

CSRF attacks & fixes

 

HTTP Verb Tampering

Vulnerability description

By manipulating the HTTP verb it was possible to bypass the authorization on this directory. The scanner sent a request with POST HTTP verb and managed to bypass the authorization. An application is vulnerable to HTTP Verb tampering if the following conditions hold:

 

it uses a security control that lists HTTP verbs

the security control fails to block verbs that are not listed

it has GET functionality that is not idempotent or will execute with an arbitrary HTTP verb

For example, Apache with .htaccess is vulnerable if HTTP verbs are specified using the LIMIT keyword:

<Limit GET>

require valid-user

</Limit>

 

Affected items

/accounts/ckeditor/

/accounts/ckeditor/skins/

/accounts/ckeditor/skins/kama/

/accounts/ckeditor/skins/kama/images/

/accounts/contact/

/accounts/contact/datepicker/

/accounts/contact/datepicker/calendar/

/accounts/contact/datepicker/calendar/ui/

/accounts/css/

/accounts/fancybox/

/accounts/js/

/accounts/media/

/css/

/images/

/media/

 

The impact of this vulnerability

An attacker can bypass web authentication and authorization.

How to fix this vulnerability

In the case of Apache + .htaccess, don't use HTTP verb restrictions or use LimitExcept.

Check references for more information on how to fix this problem on other platforms.

Links:

BYpassing VBAAC with HTTP verb Tampering

Cross Site Scripting

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

 

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Affected items

/accounts/adminupdate.php

The impact of this vulnerability

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

 

How to fix this vulnerability

Your script should filter metacharacters from user input with htmlspecialchars

example:

<?php
$var = htmlspecialchars($var,ENT_QUOTES,'utf-8'); ?>

 

or even better you could use the HTMLPURIFIER library to filter input.

happypete Member

happypete

Posted
  • Author
Posted

Just so you know, a lot of these tools are browser plugins.  I know FF has XSS ME, SQL Inject me, Exploit me, and a few others for common vulnerabilities and security holes.

 

thanks, I've tired some of those, but didn't come up with the stuff darkfreaks pointed out

darkfreaks Advanced Member

darkfreaks

Posted
Posted

just so i am following the rules more thoroughly i am using Acunetix. it is a more detailed security analyzer program that analyzes both server and code exploits and gives you advice on how to best go about fixing them.

 

 

much progress has been made here  the XSS and CLRF exploits have been cleaned up and most of the CKeditor HTTPverb tampering but i still found exploits in one CKeditor /source folder. and much of the jquery /calendar/datepicker/ui  folders.

 

Still Vunerable to HTTP tampering:

/accounts/assets/

/accounts/assets/images/

/accounts/ckeditor/_source/

/accounts/contact/datepicker/

/accounts/contact/datepicker/calendar/

/accounts/contact/datepicker/calendar/ui/

/accounts/inc/

/accounts/js/

/cgi-bin/

/inc/

 

darkfreaks Advanced Member

darkfreaks

Posted
Posted

i would like to add the code i have for htmlspecialchars does not escape all types of Injection. also i would validate for data using ctype_alnum @ OP.

 

example:

 

if(ctype_alnum($var)) { //insert code here 
}

 

this will make it so nothing other than letters and numbers goes into that text area.

happypete Member

happypete

Posted
  • Author
Posted

I'm using htmlpurifier on the WYSIWYG textarea and 

htmlspecialchars(stripslashes($_POST[$page1]), ENT_QUOTES, "UTF-8"),

on the other text inputs.

 

 

admin.php

 

<?php

// check user logged in
include("assets/member.inc.php");
$member->LoggedIn();

$page = $_GET['page'];

if ($page == 'home') {
	$page = 'home';
} elseif ($page == 'gallery') {
	$page = 'gallery';
} elseif ($page == 'features') {
	$page = 'features';
} elseif ($page == 'location') {
	$page = 'location';
} elseif ($page == 'rates') {
	$page = 'rates';
} elseif ($page == 'availability') {
	$page = 'availability';
} elseif ($page == 'contact') {
	$page = 'contact';
} elseif ($page == 'testimonials') {
	$page = 'testimonials';
} else {
	header('Location: index.php'); 
	exit;
}

$page1 = $page.'title';
$page2 = $page.'text';

  	// Extract details from database
    $sql = "SELECT * FROM content WHERE siteid=".(int) $siteid."";
$stmt = $db->prepare($sql);
$stmt->execute();
$e = $stmt->fetch();		  
?>

<!DOCTYPE html>
<html lang="en">
<head>
<?php include('inc/head.php'); 	?> 
</head>
<body>

<div id="content">
    <div class="editcontent">
<h1><?php echo ucfirst($page); ?> Page</h1>
<form method="post" action="adminupdate.php?page=<?php echo $page ;?>" enctype="multipart/form-data">

<label><?php echo ucfirst($page); ?> Page Title <span>(max 90 characters)</span>
<input type="text" name="<?php echo $page1; ?>" maxlength="90" value="<?php echo stripslashes($e[$page1]) ?>" class="large" />
</label>

<label><?php echo ucfirst($page); ?> Page Content</label>
<textarea name="<?php echo $page2; ?>" id="ckeditor"><?php echo htmlspecialchars(stripslashes($e[$page2])) ?></textarea>
<p> </p>

<div class="clear"></div>
<input id="button" class="button" type="submit" name="submit" value="Save Changes" />
<input id="button" class="buttoncancel" type="submit" name="submit" value="Cancel / Return to site" />
<div id="spinner" class="spinner"><img id="img-spinner" src="../media/spinner.gif" alt="Loading"/></div>

</form>
</div><!--content-->
</div><!--content-->
   <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
        <script>window.jQuery || document.write('<script src="js/jquery.min.js"><\/script>')</script>
<script type="text/javascript">
	$(document).ready(function(){$('#button').click(function(){$('#spinner').show()})});
    </script>

   <script type="text/javascript" src="ckeditor/ckeditor.js"></script>
<script type="text/javascript">
			CKEDITOR.replace( 'ckeditor',
    {
        toolbar :
        [
            
    ['Cut','Copy','Paste','PasteText','PasteFromWord','-','Print', 'SpellChecker'],
    ['Undo','Redo'],
    ['Bold','Italic','Underline','Strike','-','Subscript','Superscript'],
    ['NumberedList','BulletedList','-'],
    ['JustifyLeft','JustifyCenter','JustifyRight','JustifyBlock'],
    ['Link','Unlink'],
    ['HorizontalRule','SpecialChar'],
    ['Format'],['Source'],
        ]
    });
		</script>

</body>
</html>

 

 

adminupdate.php

<?php

// check user logged in
include("assets/member.inc.php");
$member->LoggedIn();

require ('htmlpure/HTMLPurifier.standalone.php'); 

// Get page name that need updating
$page = $_GET['page'];

if ($page == 'home') {
	$page = 'home';
} elseif ($page == 'gallery') {
	$page = 'gallery';
} elseif ($page == 'features') {
	$page = 'features';
} elseif ($page == 'location') {
	$page = 'location';
} elseif ($page == 'rates') {
	$page = 'rates';
} elseif ($page == 'availability') {
	$page = 'availability';
} elseif ($page == 'contact') {
	$page = 'contact';
} elseif ($page == 'testimonials') {
	$page = 'testimonials';
} else {
	header('Location: index.php'); 
	exit;
}

$page1 = $page.'title';
$page2 = $page.'text';

   // Check if coming from a POST command and Save Changes
// Save header and text and email
    if($_SERVER['REQUEST_METHOD']=='POST'
    && $_POST['submit']=='Cancel / Return to site')
{
// cancel & return to admin page
header('Location: index.php?success=5&page='.$page.'&#'.$page.''); 
exit;
}
   
    // Check if coming from a POST command and Save Changes
// Save header and text and email
    if($_SERVER['REQUEST_METHOD']=='POST'
    && $_POST['submit']=='Save Changes')
{

$config = HTMLPurifier_Config::createDefault();
    
$config->set('Core.Encoding', 'UTF-8'); 
$config->set('HTML.AllowedElements', 'p,b,strong,i,em,u,a,ol,ul,li,hr,blockquote,img,table,tr,td,th,span,object,param,embed');
$config->set('HTML.AllowedAttributes', 'a.href');

$purifier = new HTMLPurifier($config);
$clean_html2 = $purifier->purify(stripslashes($_POST[$page2]));

$sql = "UPDATE content SET $page1=?, $page2=? WHERE siteid=".(int) $siteid." LIMIT 1";
$stmt = $db->prepare($sql);
$stmt->execute(
	array(
		  htmlspecialchars(stripslashes($_POST[$page1]), ENT_QUOTES, "UTF-8"),
		  $clean_html2,
		 )
);
$stmt->closeCursor();


// once updated return to admin page
header('Location: index.php?success=1&page='.$page.'&#'.$page.''); 
exit;
}
else
{
// If nothing happend send back to admin page
header('Location: index.php?success=error&#=[$page]');
exit;
}
?>

darkfreaks Advanced Member

darkfreaks

Posted
Posted

HTTP Verb Tampering:

/accounts/contact/datepicker/

/accounts/contact/datepicker/calendar/

/accounts/contact/datepicker/calendar/ui

/cgi-bin/

/images/

/inc/

/media/

 

 

 

 

http://lmgtfy.com/?q=prevent+HTTP+Tampering

 

 

happypete Member

happypete

Posted
  • Author
Posted

Thanks again for testing.

 

I've read about HTTP verb tampering but still not sure how to stop it.

 

Originally I had this in the .htaccess file:

# disable directory browsing

Options All -Indexes

 

but took it out as it didn't seem to do anything security wise

 

FIX

 

1. Limit HTTP Verbs

There are two ways how you can limit which HTTP Verbs should be handled by your server.

Limit directive ? By using the limit Apache directive, you specify which HTTP verbs (methods) you want to allow.

 

I need to allow GET, POST & DELETE (I have file uploads and deletes) so how do I restrict that without restricting legitimate users from using the software?

 

2. Always ask for Authentication

 

The second method is to completely remove any type of HTTP method restrictions (Limit or LimitExcept) from access control and authorization rules, and adjust your .htaccess configuration to ALWAYS ask for authentication. Example of a .htaccess file follows:

 

                AuthUserFile C:\xampp\htdocs\Acuart\.htpasswd

                AuthName "Authorization Required"

                AuthType Basic

                require valid-user

 

How to I relate this to a login script?

 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.