-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Chipmailer <= 1.09 Multiple Vulnerabilities Release Date: 2006/06/13 Last Modified: 2006/06/13 Author: Tamriel [tamriel at gmx dot net] Application: Chipmailer <= 1.09 Risk: Medium Vendor Status: no patch available Vendor Site: chipmailer.de Overview: Quote from http://chipmailer.de "Der Chipmailer ist ein Paidmail Script der neuesten Generation, welches mit Attraktiven Vorteilen winkt. Dieses Script hat sehr viele Funktionen für Benutzer, Sponsoren sowie für Administratoren." Details: 1) Cross Site Scripting Vulnerabilities in main.php (arround line 300-310) ... $sitename = data("sitename"); $name = $_POST['name']; $betreff = $_POST['betreff']; $betreff = "Anfrage bei ".$sitename." über ".$betreff.""; $mail = $_POST['mail']; $adminmail = data("adminmail"); $text = $_POST['text']; mail($adminmail, $betreff, $text, "From: $name <$mail>"); ... Nothing will be checked so an attacker can send the site administrator some shit. In the complete script you can found this vulnerabilities so i mention only one example here. 2) SQL Injection Vulnerability in main.php (arround line 335) ... $anfang = $_GET['anfang']; $connect = mysql_query("SELECT head, autor, date, text FROM news order by id desc LIMIT $anfang, 10"); ... 3) Public phpinfo() in php.php (arround line 2) In the php.php file, included in the install files from this script is just a phpinfo() command used, so attackers can easy collect information about their victims. 4) SQL Injection Vulnerability in main.php (arround line 30-140) ... $name = $_POST['name']; $pass = md5($_POST['pass']); $passwdh = md5($_POST['passwdh']); $mail = $_POST['mail']; $anrede = $_POST['anrede']; $vorname = $_POST['vorname']; $nachname = $_POST['nachname']; $gebtag = $_POST['gebtag']; $gebmonat = $_POST['gebmonat']; $gebjahr = $_POST['gebjahr']; ... mysql_query("INSERT INTO user ( name, pass, mail, ip, status, register, anrede, vorname, nachname, strasse, hausnr, plz, stadt, land, geb, `int1`, `int2`, `int3`, `int4`, `int5`, `int6`, `int7`, `int8`, `int9`, `int10`, `int11`, `int12`, `int13`, `int14`, `int15`, `int16`, `int17`, `int18`, `int19`, `int20`, `int21`, newsletter, werber, paidmails, bespaidmails ) VALUES ( '$name', '$pass', '$mail', '$ip', '2', '$date', '$anrede', '$vorname', '$nachname', '$strasse', '$hausnr', '$plz', '$stadt', '$land', '$geb', '$int1', '$int2', '$int3', '$int4', '$int5', '$int6', '$int7', '$int8', '$int9', '$int10', '$int11', '$int12', '$int13', '$int14', '$int15', '$int16', '$int17', '$int18', '$int19', '$int20', '$int21', '$newsletter', '$werber', '0', '0' )"); ... If magic_quotes_gpc is off, then you can directly inject malicious SQL code. The same in (for example): line 1366-1369 line 1519-1520 line 1768-1769 ... Proof of Concept: index.php?area=news&anfang=0/* Note: It is strongly recommended to update your script by yourself. Check out some other insecure handlings, like the logout handling with not overwrites the existence cookie. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 iD8DBQFEjyQrqBhP+Twks7oRArnAAKCS99/tPofih3VT5r7rEPS3wcq5oQCfckFN 4uKl2tTrA802OsBlya53Vj8= =d7Dx -----END PGP SIGNATURE-----