SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   phpmyfamily Vendors:   phpmyfamily.net
(Vendor Issues Fix) phpmyfamily Input Validation Holes Let Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1013561
SecurityTracker URL:  http://securitytracker.com/id/1013561
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 25 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4.0
Description:   An input validation vulnerability was reported in phpmyfamily. A remote user can inject SQL commands.

Several scripts do not properly validate user-supplied input. A remote user can supply a specially crafted URL to execute SQL commands on the underlying database.

The 'people.php', 'track.php', 'edit.php', 'document.php', 'census.php', and 'passthru.php' scripts are vulnerable. Other scripts may also be affected.

A demonstration exploit URL is provided:

http://[target]/[path]/people.php?person=00002'
%20UNION%20SELECT%20NULL,password,NULL,username,NULL,NULL,NULL,NULL,NUL
L,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20family_users%20%20WH
ERE%20admin='Y'%20LIMIT%201,1/*

A remote user can supply the following login username to authenticate to the application with administrative privileges:

' OR 'a'='a' AND admin='Y'/*

The vendor has been notified.

ADZ Security Team reported this vulnerability.

Impact:   A remote user can supply a specially crafted URL to execute SQL commands on the underlying database.
Solution:   The vendor has issued a fixed version (1.4.1), available at:

http://www.phpmyfamily.net/downloads.php

Vendor URL:  www.phpmyfamily.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 21 2005 phpmyfamily Input Validation Holes Let Remote Users Inject SQL Commands



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC