Vendor: phpWebSite Development Team
Version: <= 0.9.3-4
CVE: CVE-2004-1654 CVE-2004-1655
OSVDB: 9444 9445 9446 9447
phpWebSite provides a complete web site content management solution. All client output is valid XHTML 1.0 and meets the W3C's Web Accessibility Initiative requirements. Currently features: announcement posting, form generator, user management with granulated administration, calendar, poll, faq, photoalbum, bulletin board, rss feeds, user customizable theme support and more. It is one of the most popular content managment systems in the world.
SQL Injection Vulnerability:
The calendar module of phpWebsite allows users to submit their own events to the calendar. Upon approval by an admin (or in some cases the admin doesn't need to approve it, but this is not a default setting) certain data that was earlier supplied by the user earlier is then entered into the database. It could be possible for an attacker to insert malicious statements via the "cal_template" field and then influence the UPDATE query when it is executed. By default I believe the calendar module allows anyone to submit a new event for approval.
Cross Site Scripting:
The phpWebsite developers have done a good job of filtering get requests that are passed to the application. However I have found one place for a Cross Site Scripting attack to take place, and that is the comments module.
The above url will render the specified code in the browsers of both guest users, and logged in users.
Script Injection Vulnerability:
When sending users private messages via the notes module it is possible to input script or html etc into both the subject and the message fields of the note. When a user visits their notes module, or reads the note, the code will then be executed. This can be very dangerous and used to force command execution.
Forced Command Execution:
This sent to an admin in a pm will set the attacker to the deity level, make the attacker an admin, and then delete the admin from their own website. This example has the attacker as the user id number 4 and the admin as number 2. of course these will have to be changed in most cases to work. Now just send the following data in [img] tags, or a html img tag to the desired administrator and then log in to your new super user account.
This issue affects almost all if not all of the components on the phpWebsite so I am not going to include an example of every little place that this issue is present, but I will include examples of the more popular components such as the phpWebsite message board phpwsbb. This example will delete a desired forum, and then ban a specified user's name and ip address.
Just put those url's inside of an [img] tag or an html image tag and the commands will likely be executed successfully. This also works for the deletion of posts, and just about anything else too.
I would like to thank Matthew McNaney and the rest of the dev team for a prompt response and professional attitude. These guys care very much about the security of their product, and the well being of the users.
The updated security patches can be downloaded at the above link. The RFC 2616 security issues will be addressed in the next release of phpWebsite due out at the end of the year. The next release will address these issues by requiring a valid authentication key for actions taken. It should be a great improvement and I believe it will help make phpWebsite one of the most secure open source content management systems around.
James Bercegay of the GulfTech Security Research Team.