Chipmailer <= 1.09 Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 Advisory: Chipmailer <= 1.09 Multiple Vulnerabilities

Release Date: 2006/06/13
Last Modified: 2006/06/13
Author: Tamriel [tamriel at gmx dot net]
Application: Chipmailer <= 1.09
Risk: Medium
Vendor Status: no patch available
Vendor Site: chipmailer.de

Overview:

Quote from http://chipmailer.de

"Der Chipmailer ist ein Paidmail Script der neuesten Generation,
welches mit Attraktiven Vorteilen winkt. Dieses Script hat sehr
viele Funktionen fьr Benutzer, Sponsoren sowie fьr Administratoren."

Details:

1) Cross Site Scripting Vulnerabilities in main.php
(arround line 300-310)

  ...

  $sitename = data("sitename");
  $name = $_POST['name'];
  $betreff = $_POST['betreff'];
  $betreff = "Anfrage bei ".$sitename." ьber ".$betreff."";
  $mail = $_POST['mail'];
  $adminmail = data("adminmail");
  $text = $_POST['text'];

  mail($adminmail, $betreff, $text, "From: $name <$mail>");

  ...

  Nothing will be checked so an attacker can send the
  site administrator some shit.

  In the complete script you can found this vulnerabilities so i
  mention only one example here.

2) SQL Injection Vulnerability in main.php
(arround line 335)

  ...

  $anfang = $_GET['anfang'];
  $connect = mysql_query("SELECT head, autor, date, text FROM news 
  order by id desc LIMIT $anfang, 10");

  ...

3) Public phpinfo() in php.php
(arround line 2)

  <?
  phpinfo();
  ?>

  In the php.php file, included in the install files from this script 
  is just a phpinfo() command used, so attackers can easy collect
  information about their victims.

4) SQL Injection Vulnerability in main.php
(arround line 30-140)

  ...

  $name = $_POST['name'];
  $pass = md5($_POST['pass']);
  $passwdh = md5($_POST['passwdh']);
  $mail = $_POST['mail'];

  $anrede = $_POST['anrede'];
  $vorname = $_POST['vorname'];
  $nachname = $_POST['nachname'];

  $gebtag = $_POST['gebtag'];
  $gebmonat = $_POST['gebmonat'];
  $gebjahr = $_POST['gebjahr'];

  ...
  
  mysql_query("INSERT INTO user ( name, pass, mail, ip, status, register, anrede, vorname,

nachname,
strasse, hausnr, plz, stadt, land, geb, `int1`, `int2`, `int3`, `int4`, `int5`, `int6`, `int7`,
`int8`, `int9`, `int10`, `int11`, `int12`, `int13`, `int14`, `int15`, `int16`, `int17`,
`int18`, `int19`, `int20`, `int21`, newsletter, werber, paidmails, bespaidmails ) VALUES
( '$name', '$pass', '$mail', '$ip', '2', '$date', '$anrede', '$vorname', '$nachname',
'$strasse', '$hausnr',
'$plz', '$stadt', '$land', '$geb', '$int1', '$int2', '$int3', '$int4', '$int5', '$int6', '$int7',
'$int8', '$int9', '$int10', '$int11', '$int12', '$int13', '$int14', '$int15', '$int16', '$int17',
'$int18', '$int19', '$int20', '$int21', '$newsletter', '$werber', '0', '0' )");

  ...

  If magic_quotes_gpc is off, then you can directly inject malicious SQL code.

  The same in (for example):

      line 1366-1369
      line 1519-1520
      line 1768-1769
      ...

Proof of Concept:

  index.php?area=news&anfang=0/*

Note:

  It is strongly recommended to update your script by yourself.
  Check out some other insecure handlings, like the logout handling with not overwrites 
  the existence cookie.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3

iD8DBQFEjyQrqBhP+Twks7oRArnAAKCS99/tPofih3VT5r7rEPS3wcq5oQCfckFN
4uKl2tTrA802OsBlya53Vj8=
=d7Dx
-----END PGP SIGNATURE-----