Cyber Security Expo
CASR - ACAT: PHP TopSites Vulnerability Report by CyberArmy on 15/03/03

The purpose of this document is to show several vulnerabilities and provide fixes for the PHP TopSites Pro/Free script. This report is published for educational purposes only. The authors take no responsibility for damage resulting from the misuse of this information. All copyrights are retained by the authors. This information may not be reproduced without prior written consent from the authors.

PHP TopSites is a PHP/MySQL-based customizable TopList script. Main features include: Easy configuration config file; MySQL database backend; unlimited categories, Site rating on incoming votes; Special Rating from Webmaster; anti-cheating gateway; Random link; Lost password function; Webmaster Site-approval; Edit site; ProcessingTime display; Cookies Anti Cheating; Site Reviews; Linux Cron Free; Frame Protection and much more.

The ACAT Team estimates that there are over 3000 websites that utilize PHP TopSites scripts and that 95% of those websites are vulnerable to at least one of the following vulnerabilities. Even after several attempt by the ACAT Team to contact the developer, the company still refuses to acknowledge any of these vulnerabilities.

Vulnerability 1.

Critical XSS Vulnerability in all versions of PHP TopSites

Version: All
Script: Add.php

Because PHP TopSites does not have session authentication, it allows an attacker to use an XSS vulnerability to do things like delete, edit, and change user accounts by having an unknowing admin run the code. By putting the following in the description field when adding a new website to any particular topsite, it's almost impossible for any admin not to run the following code (unless they have customized browser security settings). The following code is executed when the admin loads the page. He has to do nothing but load the page in order to validate a site and the integrity of the database can be destroyed as the code is never parsed out of the field and the page does not display it, it executes it. Below are a few examples - placed into the description field when adding a new site.


This code will effectively delete the user account with the site id number as soon as the admin
loads the page.

Using this code, an attacker can open a popup window to a page on his site that contains code for
several more popup windows. Each window can be used to delete a site from the PHP TopSites
database. This method can totally erase a TopSites database as soon as the admin loads the page.

To fix this vulnerability open add.php and find:

if (!$name) { $err.= 'Please enter your name.
'; } if (!$passw) { $err.= 'Please enter password.
'; } if (!$email) { $err.= 'Please enter your email address.
'; } if (!$title) { $err.= 'Please enter site title.
'; } if (!$url) { $err.= 'Please enter site url.
'; } if (!$banner_w) { $err.= 'Please enter banner width.
'; } if (!$banner_h) { $err.= 'Please enter banner height.
'; } if (!$description) { $err.= 'Please enter site description.
'; } if (!$category) { $err.= 'Please enter site category.
'; } if (check_email_addr($email) == 0) { $err.= 'Please enter valid email address.
'; }

Below it paste:

// Critical XSS Vuln Fix By JeiAr = ( January 12 2003 - All
versions PHP Topsites //
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $name)) {$err.= 'Please enter A valid
';} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $passw)) {$err.= 'Please enter A valid Password
';} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $title)) {$err.= 'Please enter A valid Title
';} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $linkback)) {$err.= 'Please enter A valid Linkback
';} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $url)) {$err.= 'Please enter A valid URL
';} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_url)) {$err.= 'Please enter A valid Banner URL
';} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_w)) {$err.= 'Please enter A valid Banner Width
';} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_h)) {$err.= 'Please enter A valid Banner Height
';} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $description)) {$err.= 'Please enter A valid Description
';} if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $category)) {$err.= 'Please enter A valid Category
';} //////////////////////////////////////////////////////////////////////////// ////////////////////////

Vulnerability 2.

Critical XSS Vulnerability in all versions of PHP TopSites

Version: All
Script: help.php

Because PHP TopSites does not have session authentication, it allows an attacker to use an XSS vulnerability steal cookies or other user-supplied information. The page being generated with unvalidated input from untrustworthy sources causes this vulnerability. The developer is urged to implement session authentication into this script. The following example lies in the help.php file.


Vulnerability 3.

Plaintext Password Disclosure Vulnerability in all versions of PHP TopSites

Version: All
Script: edit.php and admin scripts

No current versions of PHP TopSites encrypt user passwords, and these plaintext passwords can be viewed by anyone with access to the admin panel or edit.php page. Any Topsite Admin (or intruder) can possibly use the user supplied password to try and compromise the security of the user supplied website and or the user supplied email account. So anyone signing up for a TopList using PHP TopSites should keep this in mind, and it should also be noted to anyone using the same password for everything, that this is generally not a very good habit to have. This vulnerability affects all versions. A suggestion to the developer would be to crypt the passes via the md5 function, and not allow the password to be displayed to an admin when editing a TopList user(s).

Vulnerability 4.

PHP TopSites User Account Compromise Vulnerability in All Pro versions and in 1.xx Free versions

Version: All Pro Versions and Free Versions 1.xx

This is exploitable because of two conditions in the PHP/MYSQL configuration. Firstly, register_globals parameter is on in php.ini, which automatically turns every variable into a global variable. Secondly, the underlying database is MYSQL, which does not require numeric criteria in the SQL statement to be quoted. This allows an attacker to bypass the magic_quoted_gpcs protection in PHP manipulating numeric parts of a query.

It is possible for an attacker to use SQL injection to expose all user account details for any user he or she knows the id number of. All site ID numbers of a particular Top List are made available on the index.php page. The vulnerable code resides in edit.php. Examples are listed below.

This injection negates the use of a password and provides access to the TopList edit page. All information about a particular site can be viewed and edited from this page. One thing to note, the password is displayed as plaintext on this page also.

All users of the 1.XX Free script(s) are urged to upgrade their scripts as soon as possible. If you are not able to upgrade, the below code should serve as a quick fix.

In the Edit.php file change:

$query = mysql_db_query ($dbname,"Select * from top_user Where sid=$sid AND
password='$passw'",$db) or die (mysql_error()); $num_rows = mysql_num_rows($query);

$query = mysql_db_query ($dbname,"Select * from top_user Where sid='$sid'
AND password='$passw'",$db) or die (mysql_error()); $num_rows = mysql_num_rows($query);

In conclusion, the vulnerabilities in this script make it very easy for an attacker to exploit. The vulnerabilities present in this script compromise the security of user accounts, the integrity of the data in the database, and the security of the server it is hosted on. All administrators that are currently using this script in their websites are strongly urged to patch or upgrade the PHP TopSites script. Some versions, such as the Pro version, have no developer upgrades or patches available at the time of this writing, so they are still vulnerable to the attacks mentioned above.

All Credits go to the CyberArmy Application and Code Auditing Team:


Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , All rights reserved. Comments are property of the respective posters.