lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1112099946_88707@S2.cableone.net>
Date: Tue, 29 Mar 2005 06:21:24 -0600
From: "GulfTech Security Research" <security@...ftech.org>
To: <bugtraq@...urityfocus.com>, "OSVDB" <moderators@...db.org>
Subject: Multiple phpCoin Vulnerabilities


##########################################################
# GulfTech Security Research		 March 28th, 2005
##########################################################
# Vendor  : COINSoft Technologies Inc.
# URL     : http://www.phpcoin.com/
# Version : phpCoin v1.2.1b && Earlier
# Risk    : Multiple Vulnerabilities
##########################################################



Description:
phpCoin is a free software package originally designed for 
web-hosting resellers to handle clients, orders, invoices, 
notes and helpdesk. phpCoin versions 1.2.1b and earlier are
prone to multiple vulnerabilities such as File Inclusion and 
SQL Injection.



SQL Injection:
There are three SQL Injection vulnerabilities in
phpCoin v1.2.1b and earlier. Two of the issues are not very
easy to exploit, but one (in the search engine) is very useful.
The SQL Injection issue in the search engine is pretty straight
forward, as entering the query of your choice after breaking out
of single quotes in the search term/keywords field. The other
two SQL Injection issues take place when ordering a product, and
when requesting a forgotten password. When requesting a forgotten
password, neither the username or email fields are safe from SQL 
Injection. Also, when ordering a new package you can put an allowed
domain name such as test.ca followed by sql as long as you break
out of the single quotes. It should be noted that these issues 
probably will not present themselves if magic_quotes_gpc is on.



File Include Vulnerability:
There is a local file include vulnerability in auxpage.php when
calling the 'page' parameter

http://phpcoin/auxpage.php?page=../../../some/other/file

Using a similar example as above an attacker could traverse out
of the directory and include arbitrary files to be read or executed.



Solution:
The guys at phpCoin worked very quickly to get a fix out, and a fix 
has been available for a while now. Upgrade your vulnerable version.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00065-03292005



Credits:
James Bercegay of the GulfTech Security Research Team

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.8.3 - Release Date: 3/25/2005
 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ