lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 14 Dec 2007 22:08:05 -0000
From: th3.r00k.nospam@...k.gmail.com
To: bugtraq@...urityfocus.com
Subject: PHP RPG - Sql Injection and Session Information Disclosure.

By Michael Brooks
Vulneralbity: Sql Injection and Session Information Disclosure. 
Homepage:http://sourceforge.net/projects/phprpg/
Verison affected 0.8.0

There are two flaws that affect this applcation. A nearly vinnella login bypass issues affects phprpg.  If magic_qutoes_gpc=off then this will login an attacker as the administrator using this:
username:1'or 1=1 limit 1/*
password:1
Keep in mind that magic_quotes_gpc is being removed in php6!

The second flaw allows an attacker to steal any session registered by phprpg by navigating to this directory:
http://localhost/phpRPG-0.8.0/tmp/
This is because phprpg has manually changed the directory using session_save_path() which is called in init.php on line 49. 

Peace

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ