Nac Mac Feegle has discovered multiple vulnerabilities in Uiga Church Portal, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting, script insertion, and SQL injection attacks, bypass certain security restrictions, and compromise a vulnerable system.

1) Input passed to the "file_photo_name" parameter in admin/bible/biblegallery.php, admin/lifegroups/lifegallery.php, admin/minutes/minutesgallery.php, and admin/multimedia/multimediagallery.php, the "checkbox" parameter in admin/news/newsend.php and admin/news/testing.php, the "script[]" parameter in admin/news/userlist.php, admin/upload/userlist.php, and head.php, the "file_name" parameter in admin/photos/gallery.php and gallery.php, the "checkbox[]" and "message" parameters in admin/special.php, the "pagetitle" parameter in admin/template.php and include/template.php, the "img" parameter in anniv.php and famday.php, the "username", "photo_main", "title_desc", "par", "par1", "par2", and "par3" parameters in archivedetails.php and ar_det.php, the "email_from", "name_from", "telephone" and "message" parameters in contact.php, the "title_desc", "photo_main", "par1", "par2", "par3", and "username" parameters in exhortation.php, the "script[]" and "pagetitle" parameters in head2.php, the "pagetitle" parameter in template.php, the "case" parameter in login2.php, the "file_photo_name" parameter in multimediagallery.php, the "error" parameter in admin/user/modify.php, the "id" parameter in admin/time_date.php, the "id", "event_time", "event_name", "event_id", and "event_desc" parameters in admin/editevent.php, the "delete_id" parameter in admin/calendar.php, the "id", "a_title", and "a_details" parameters in admin/announcements/modifynews.php, the "cid", "image", cat_name", and "cat_desc" parameter in admin/photos/editcat.php, the "par", "par1", "par2", "par3", "title_desc", and "username" parameter in admin/exhortation/exhoredit.php, the "box" paremeter in admin/photos/edit.php, the "cid", "bib_name", and "bib_image" parameters in admin/bible/editcat.php, the "cid", "music_name", and "music_image" parameters in admin/music/editcat.php, the "cid", "mul_name", and "mul_image" parameters in admin/multimedia/editcat.php, the "cid", "life_name", and "life_image" parameters in admin/lifegroups/editcat.php, the "id" parameter in testimonisview.php, the "delete" parameter in admin/lifegroups/lifegroups.php, the "id" and "min_name" parameters in admin/minutes/upload.php, the "id" and "mul_name" parameters in admin/multimedia/upload.php, the "delete" parameter in admin/music/music.php, the "list" and "user_id" parameters in admin/news/uploadfile.php, the "id" and "cat_name" parameters in admin/photos/upload.php, the "txtuser" and "txtpassword" parameters in login2.php and admin/login.php, the "testi_image", "testi_name", "testi_des1", "testi_des2", "testi_des3", "testi_des4", "testi_des5", "testi_des6", "testi_des7", and "testi_complete" parameters in testimoniesview.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed via the URL to gallery.php, multimediagallery.php, and to the "filepaging()" and "paging_update()" functions in library/functions.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input passed to the "id" parameter in download.php, downloadlife.php, downloadminutes.php, downloadmultimedia.php, downloadmusic.php, multimediagallery.php, photoview.php, testimoniesview.php, and gallery.php, the "view" parameter in archivedetails.php, the "day", "month", and "year" parameters in events.php, the "offset" parameter in gallery.php, multimediagallery.php, and a_detail.php, the "media" parameter in "multimediaview.php, the "delete" parameter in music.php, and the "exhort" parameter in ar_det.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

4) Input passed to the "content" parameter in admin/template.php and include/template.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

5) Input passed to the "bib_image" and "id" parameters in download.php, the "life_image" parameter in downloadlife.php, the "min_image" parameter in downloadminutes.php, the "mul_image" and "id" parameters in downloadmultimedia.php, and the "music_image" and "id" parameters in downloadmusic.php is not properly verified before being used to download files. This can be exploited to e.g. download arbitrary files via directory traversal attacks.

6) The application does not properly restrict access to the admin/bible/biblegallery.php, admin/lifegroups/lifegallery.php, admin/minutes/minutesgallery.php, admin/multimedia/multimediagallery.php, admin/news/mail.php, admin/news/processUpload.php, admin/photos/gallery.php, admin/upload/download.php, admin/upload/processUpload.php, admin/user/download.php, and admin/user/processUpload.php scripts. This can be exploited to e.g. conduct SQL injection attacks or upload and execute malicious PHP files.

7) A backdoor exists in the application (admin/news/error.php) and can be exploited to e.g. execute arbitrary shell commands.

8) The "checkClientUser()" function does not properly check for valid user sessions, which can be exploited to bypass the authentication mechanism.

9) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to perform actions with the privileges of a target user, who is tricked into visiting a malicious website.

10) Input passed via the "txtname", "txtcontact", or "txtevents" to special_event.php is not properly sanitised before being displayed to the user. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is viewed.

11) The application does not properly restrict access to multimediaview.php and ar_det.php, which can be exploited to access restricted content without valid user credentials.

The vulnerabilities are confirmed in a version downloaded on 2009-12-04. Other versions may also be affected.

Solution
Use another product.

Provided and/or discovered by
Nac Mac Feegle

Deep Links
Links available to Secunia VIM customers