SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   paFileDB Vendors:   PHP Arena
paFileDB Input Validation Flaws Let Remote Users Inject SQL Commands to Be Executed on the Database Server
SecurityTracker Alert ID:  1006369
SecurityTracker URL:  http://securitytracker.com/id/1006369
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 24 2003
Impact:   Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): paFileDB 3.0 Final, 3.0 Beta 3.1, 3.1 Final
Description:   Several vulnerabilities were reported in the paFileDB file management script. A remote user can submit modified ratings and can inject SQL commands to be executed by the underlying SQL server.

Flurnet Security reported that several variables are not properly filtered, allowing a remote user to conduct various attacks against the system.

A remote user can submit a random 'id' variable to submit an unlimited number of file ratings. A demonstration exploit URL is provided:

http://target/pafiledb/pafiledb.php?action=rate&id=1[RANDOM]&rate=dorate&rating=10

A remote user can submit a modified value for the 'rating' variable to submit ratings outside of the normal 0 - 10 rating range. A demonstration exploit URL to submit an excessively high rating of "1000" is provided:

http://target/pafiledb/pafiledb.php?action=rate&id=1&rate=dorate&rating=1000

Similarly, a remote user can drive a file's rating down by sumbitting a negative number for the 'rating' variable.

Both the 'id' and the 'rating' tag are not properly filtered to remove SQL escape characters, according to the report. A remote user can submit a specially crafted value to cause an arbitrary SQL command to be executed on the underlying SQL database server.

The vendor has reportedly been notified.

Impact:   A remote user can submit out-of-range rating values and can submit an unlimited amount of rating submissions. A remote user can also inject SQL commands to be executed by the underlying database server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phparena.net/pafiledb/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] paFileDB 3.x SQL Injection Vulnerability


Flurnet Security
----------------
paFileDB by todd@phparena.net
PHP Arena http://www.phparena.net


Tested on:
         paFileDB 3.0 Final
         paFileDB 3.0 Beta 3.1
         paFileDB 3.1 Final


Explanation:

paFileDB is a file management script that supports user file rating. It 
uses an SQL database backend. Multiple vulnerabilities exist due to the 
lack of checked input variables. The following exploits exist:
  - Modified 'id' tag allows users to submit unlimited ratings.
  - Hand-edited 'rating' tag allows users to submit ratings above 10 or 
below 0.
  - Both tags do not check for escape characters and will allow SQL injection.


Proof-Of-Concept Exploits:

http://target/pafiledb/pafiledb.php?action=rate&id=1[RANDOM]&rate=dorate&rating=10
Replace [RANDOM] with a random short string and the script will not be stop 
you from voting as many times as you like.


http://target/pafiledb/pafiledb.php?action=rate&id=1&rate=dorate&rating=1000
Submit file rating of 1000 out of 10. Drive rate up. Conversely, -1000 
would have the opposite effect driving the rating down.

http://target/pafiledb/pafiledb.php?action=rate&id=1&rate=dorate&rating=`
http://target/pafiledb/pafiledb.php?action=rate&id=`&rate=dorate&rating=10
SQL Injection vulnerability (exploit code not included)


Script authors have been notified.


____________________ __ _
~FluRDoInG                        flur@flurnet.org
                             http://www.flurnet.org
KEY ID 0x8C2C37C4 (pgp.mit.edu) RSA-CAST 2048/2048
1876 B762 F909 91EB 0C02  C06B 83FF E6C5 8C2C 37C4

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC