lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070504210126.28912.qmail@securityfocus.com>
Date: 4 May 2007 21:01:26 -0000
From: aeroxteam_PLEASEDONTSPAMUS@...il.com
To: bugtraq@...urityfocus.com
Subject: NPDS <= 5.10 - Multiple SQL injections

[|Description:|]
Security holes were found in NPDS 5.10.

N°1: Sql Injection in cookies (File Mainfile.php lines 655 to 691).
No check is carried out on nicknames or Id which can allow an attacker
to modify a SQL request so as to obtain data.

N°2: SQL Injection due to a bad use of "X_FORWARDED_FOR" (file Mainfile.php lines 88 to 110).
NPDS uses the HTTP header "X_FORWARDED_FOR" which normally contains the IP adress
of a person using a non anonymous proxy. This Ip address is used in a SQL resquest without appropriate
filtering, and an attacker can define "X_FORWARDED_FOR" insering malicious SQL code.

[|Exploit:|]
http://www.aeroxteam.fr/exploit-NPDS-5.10.txt

[|Solution:|]
N°1: File mainfile.php, add after line 665:
$cookie[0] = inval($cookie[0);
$cookie[1] = addslashes($cookie[1]);
$cookie[2] = addslashes($cookie[2]);

N°2: Replace fonction "getip" (mainfile.php) by:
function getip() {
	return $_SERVER['REMOTE_ADDR'];
}

[|Credits:|]
Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com)
for AeroX (AeroXteam.fr)

[|Gr33tz:|]
Gr33tz: Darkfig, Spamm, Math², Barma, NeoMorphS, Snake91, Kad, Nitr0, BlastKiller, Alkino And everybody from #aerox@....epiknet.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ