search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

paFileDB fails to properly sanitize "query" parameter in "pafiledb.php"

Vulnerability Note VU#459565

Original Release Date: 2005-06-21 | Last Revised: 2005-07-07

Overview

paFileDB works around the default "off" state for the "register_globals" security directive in PHP and then fails to initialize the "query" variable, which can be used to inject arbitrary SQL queries.

Description

"paFileDB is designed to allow webmasters have a database of files for download on their site."

This SQL injection vulnerability is one of eight vulnerabilities recently discussed in public forums affecting paFileDB. It works whether magic_quotes is on or not. Proof of concept code and simple examples are in circulation specific to this vulnerability. The following report identifies these vulnerabilities:
http://www.gulftech.org/?node=research&article_id=00082-06142005

The default value for the PHP directive register_globals changed from "on" to "off" in PHP 4.2.0. To quote PHP documentation available from http://www.php.net/register_globals/:

"When on, register_globals will inject (poison) your scripts will all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier."

Code near the beginning of paFileDB undermines the security benefits of the register_globals default "off" setting. It does so by registering all variables directly into the PHP global address space.

if (!@ini_get('register_globals')) {
\textract($_GET);
\textract($_POST);
\textract($_COOKIE);
\textract($_SERVER);
}

This specific vulnerability is the direct result of the above poor coding practice combined with a failure to initialize the "query" variable before use.

Impact

An attacker could inject arbitrary SQL queries, such as resetting the administrator password.

Solution

Upgrade to a version 3.1 downloaded after June 15, 2005 of the paFileDB distribution as it contains a fix for this specific vulnerability and a number of other security enhancements for initializing variable before use and sanitising user input.

Full code review and rewriting to remove the dependency on all passed parameters being in the global address space is also recommended. The current release as downloaded on 21 June, 2005 still contains the code to put all parameters into the global address space (see above).

Workaround
Restrict access to the paFile application to only trusted users. Restricting access can be achieved through network filtering and restricting access to internal users, and/or through web server access control mechanisms.

Vendor Information

459565
 
Expand all

PHP Arena Affected

Updated:  June 21, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.phparena.net/index.php for general information about the "latest security patch" and http://www.phparena.net/pafiledb_patch/ for specific details of code changes.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

James Bercegay of the GulfTech Security Research Team is credited with discovering this vulnerability.

This document was written by Robert Mead.

Other Information

CVE IDs: None
Severity Metric: 0.95
Date Public: 2005-06-14
Date First Published: 2005-06-21
Date Last Updated: 2005-07-07 20:36 UTC
Document Revision: 13

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis