Secunia

Some vulnerabilities have been discovered in PHPizabi, which can be exploited by malicious people to disclose sensitive information, conduct SQL injection, cross-site scripting, request forgery attacks, or compromise a vulnerable system.

1) Input passed to the "sendChatData" parameter in modules/chat/dac.php is not properly verified before being used to open files. This can be exploited to open arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.

NOTE: The vulnerability can be exploited to execute arbitrary PHP code by injecting PHP into log files residing within the web root via the "User-Agent" HTTP header.

2) Input passed via the "notepad_body" parameter in index.php to the "bufferProcParse()" function in theme/default/proc.inc.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

3) The application does not properly restrict access to the "index.php" script (when "L" is set to "interact.file" and "id" is set to a non NULL value). This can be exploited to upload files with arbitrary extensions (e.g. .php) and execute arbitrary PHP code on the server.

4) Input passed via various parameters to multiple scripts is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Examples:
http://[host]/index.php?L=blogs.search&query=[code]
http://[host]/index.php?L=inkspot.search&query=[code]
http://[host]/index.php?L=inkspot.write&topic=[code]

5) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. delete an event or ban an IP address from posting, when a logged-in administrative user visits a malicious web page.

The vulnerabilities are confirmed in version 0.848b C1 HFP1. Other versions may also be affected.

Solution
Edit the source code to ensure that input is properly verified and sanitised and ensure that proper access restrictions are implemented. Do not browse untrusted websites or follow untrusted links while logged in to the application.

Provided and/or discovered by
1) YOUCODE
2) Nine:Situations:Group
3) EgiX
4, 5) Reported by Russ McRee via Secunia.

Changelog
Further details available in Customer Area

Original Advisory
1) http://milw0rm.com/exploits/8268
2) http://milw0rm.com/exploits/8279
3) http://milw0rm.com/exploits/8287
4, 5) http://holisticinfosec.org/content/view/131/45/

Deep Links
Links available in Customer Area