Php Web Statistik is vulnerable to javascript and html injection using the unchecked lastnumber variable, proper input validation will fix. Just place an intval() at the right row. Other vulnerabilities has been discovered later.
This is a medium level risk.
Php Web Statistik Multiple Vulnerabilities Name Multiple Vulnerabilities in Php Web Statistik Systems Affected Php Web Statistik (verified on 1.4) Severity Medium Risk Vendor www.php-web-statistik.de Advisory http://www_ush_it/2005/11/19/php-web-statistik/ Author Francesco â??aSciiâ?? Ongaro (ascii at katamail . com) Date 20051119 I. BACKGROUND Php Web Statistik is a php stats program, more information is available at the vendor site. II. DESCRIPTION a) XSS While lastnumber _GET var should be a positive integer no input validation or casting assure this. Single quotes seems to be scaped with a backslash (\'). stat.php?lastnumber=urlencoded%20text b) Config exposure The configuration file can be reached in the basepath by GET. /stat/stat.cfg directory=log/logdb.dta c) Log database exposure Using the value of "directory" in the configuration file you can find the correct location of the whole database even when you can't list directory contents. d) Application level dos, resource usage stat.php?lastnumber=big-int caused the script wit the php time limit on our test machine. e) XSS using the referer field The value will be stored in the flat database file. curl -A Opera http://the.vict.im/stat/pixel.php -e "<a href=http://www.referer.spam>go-google</a>" curl -A Opera http://the.vict.im/stat/pixel.php -e "<script>alert(123123);</script>" And shown on the backend (good news pr spammers). f) Disk and quota misuse The program don't rotate the db so you can misuse the remote disk quota with multiple queries like this: curl -A Opera http://www.vict.im/stat/pixel.php -e "WW[..]WWW" Note the referer field can be >2kb. III. ANALYSIS This vulnerability can be exploited by a GET query. stat.php?lastnumber=%3Cscript%3Ealert(123456789);%3C/script%3E IV. DETECTION Php Web Statistik 1.4 is vulnerable. Older version not verified. V. WORKAROUND Input validation will fix the vulnerability. Cast (int)intval($input) and limit the range (0-600 for example). A collateral consequence of this is a small application level dos (you just hit the SetTimeLimit value of the php enviroment) as follow: stat.php?lastnumber=2341694882134812734613478 last 2341694882134812734613478 hits Fatal error: Maximum execution time of 30 seconds exceeded in /var/www/localhost/htdocs/mambo/stat/stat.php on line 711 nr. timestamp hostname browser operating system site referrer VI. VENDOR RESPONSE Vendor invite you to download the new version from freewebstat.com. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20051119 Bug discovered 20051119 Developer notification 20051119 Advisory released 20051121 Vendor response IX. CREDIT ascii is credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2005 Francesco â??aSciiâ?? Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.