Milkeyway Captive Portal Multiple Vulnerabilities Name Multiple Vulnerabilities in Milkeyway Captive Portal Systems Affected WebCalendar (any version, verified on 0.1 and 0.1.1) Severity Medium Risk Vendor sourceforge.net/projects/milkeyway Advisory http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt Author Francesco "aScii" Ongaro (ascii at katamail . com) Date 20060316 I. BACKGROUND Milkeyway is a software for the management and administration of internet access within public structures and frameworks, where the service supplying must be submitted to a scrupulous inspection. II. DESCRIPTION Nearly all SQL queries are vulnerable to SQL injection vulnerabilities. There are also some xss vulnerabilities. III. ANALYSIS Since there are 28 detected different vulnerabilities only an abstract will be included in this mail, please refer to the complete advisory aviable here: http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt 1) LOGIN PAGE authenticate() SQL INJECTION 2) add_userIp() SQL INJECTION 3) updateTimeStamp() SQL INJECTION 4) authuser.php USER DELETE SQL INJECTION 5) delete_user() SQL INJECTION 6) authuser.php MODIFY USER modify_user() SQL INJECTION 7) authuser.php MULTIPLE XSS 8) authuser.php EDIT SQL INJECTION 9) authuser.php RELEASE USER SQL INJECTION 10) releaseUser() SQL INJECTION 11) authuser.php ORDERING SQL INJECTION 12) authgroup.php ADD GROUP SQL INJECTION 13) add_team() SQL INJECTION 14) authgroup.php DELETE GROUP SQL INJECTION 15) delete_team() SQL INJECTION 16) authgroup.php MODIFY TEAM SQL INJECTION 17) modify_team() SQL INJECTION 18) traffic.php MULTIPLE SQL INJECTION 19) userstatistics.php ADD USER SQL INJECTION 20) userstatistics.php DELETE USER SQL INJECTION 21) userstatistics.php MODIFY USER SQL INJECTION 22) userstatistics.php EDIT USER SQL INJECTION 23) userstatistics.php MULTIPLE XSS 24) userstatistics.php $_GET['username'] SQL INJECTION 1 25) userstatistics.php $_GET['username'] SQL INJECTION 2 26) chgpwd.php SQL INJECTION 1 27) chgpwd.php SQL INJECTION 2 28) logout.php SQL INJECTION IV. DETECTION Milkeyway 0.1 and 0.1.1 are vulnerable. V. WORKAROUND Input validation will fix the vulnerability. Magic quotes ON will protect you against most of these injections except chapter 11 (authuser.php ORDERING SQL INJECTION) where the input has no single or double quotes around, making magic quotes useless. 11) SQL is injectable by $_GET['filter'] ---------------- in authuser.php ----------------- $orderingFilter = $_GET['filter']; if ($orderingFilter == '') $orderBy ="order by uname ASC" ; else $orderBy ="order by ".$orderingFilter." ".$direction; $result = mysql_query("SELECT * FROM authuser ".$orderBy ); -------------------------------------------------- VI. VENDOR RESPONSE No response at this time. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20060301 Bug discovered 20060316 Advisory released IX. CREDIT ascii is credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2005 Francesco "aScii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.