Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   paFileDB Vendors:   PHP Arena
paFileDB Input Validation Flaws Let Remote Users Inject SQL Commands to Be Executed on the Database Server
SecurityTracker Alert ID:  1006369
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 24 2003
Impact:   Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): paFileDB 3.0 Final, 3.0 Beta 3.1, 3.1 Final
Description:   Several vulnerabilities were reported in the paFileDB file management script. A remote user can submit modified ratings and can inject SQL commands to be executed by the underlying SQL server.

Flurnet Security reported that several variables are not properly filtered, allowing a remote user to conduct various attacks against the system.

A remote user can submit a random 'id' variable to submit an unlimited number of file ratings. A demonstration exploit URL is provided:


A remote user can submit a modified value for the 'rating' variable to submit ratings outside of the normal 0 - 10 rating range. A demonstration exploit URL to submit an excessively high rating of "1000" is provided:


Similarly, a remote user can drive a file's rating down by sumbitting a negative number for the 'rating' variable.

Both the 'id' and the 'rating' tag are not properly filtered to remove SQL escape characters, according to the report. A remote user can submit a specially crafted value to cause an arbitrary SQL command to be executed on the underlying SQL database server.

The vendor has reportedly been notified.

Impact:   A remote user can submit out-of-range rating values and can submit an unlimited amount of rating submissions. A remote user can also inject SQL commands to be executed by the underlying database server.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] paFileDB 3.x SQL Injection Vulnerability

Flurnet Security
paFileDB by
PHP Arena

Tested on:
         paFileDB 3.0 Final
         paFileDB 3.0 Beta 3.1
         paFileDB 3.1 Final


paFileDB is a file management script that supports user file rating. It 
uses an SQL database backend. Multiple vulnerabilities exist due to the 
lack of checked input variables. The following exploits exist:
  - Modified 'id' tag allows users to submit unlimited ratings.
  - Hand-edited 'rating' tag allows users to submit ratings above 10 or 
below 0.
  - Both tags do not check for escape characters and will allow SQL injection.

Proof-Of-Concept Exploits:

Replace [RANDOM] with a random short string and the script will not be stop 
you from voting as many times as you like.

Submit file rating of 1000 out of 10. Drive rate up. Conversely, -1000 
would have the opposite effect driving the rating down.

SQL Injection vulnerability (exploit code not included)

Script authors have been notified.

____________________ __ _
KEY ID 0x8C2C37C4 ( RSA-CAST 2048/2048
1876 B762 F909 91EB 0C02  C06B 83FF E6C5 8C2C 37C4

Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC