SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   phphg Vendors:   hintondesign.org
phphg Multiple Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015620
SecurityTracker URL:  http://securitytracker.com/id/1015620
CVE Reference:   CVE-2006-0602, CVE-2006-0603, CVE-2006-0604   (Links to External Site)
Date:  Feb 13 2006
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.2
Description:   Several vulnerabilities were reported in phphg. A remote user can inject SQL commands to bypass the authentication process. A remote user can conduct cross-site scripting attacks.

The 'check.php' script does not properly validate user-supplied input in the 'username' parameter. If magic_quotes_gpc is disabled, a remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

The 'id' parameter in the following administrative scripts is also affected:

admin/edit_smilie.php
admin/add_theme.php
admin/ban_ip.php
admin/add_lang
admin/edit_filter

The 'check.php' script also does not properly validate cookie-based authentication credentials.

The 'signed.php' script does not properly filter HTML code from user-supplied input in the 'location', 'website', and 'message' parameters. A remote user can create a specially crafted POST request that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vulnerable software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit is available at:

http://evuln.com/vulns/58/exploit.html

Aliaksandr Hartsuyeu (eVuln.com) discovered this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the phphg software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.hintondesign.org/downloads/view_cat.php?cat_id=45 (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [eVuln] phphg Guestbook Multiple Vulnerabilities

New eVuln Advisory:
phphg Guestbook Multiple Vulnerabilities
http://evuln.com/vulns/58/summary.html

--------------------Summary----------------
eVuln ID: EV0058
CVE: CVE-2006-0602 CVE-2006-0603 CVE-2006-0604
Vendor: Hinton Design
Vendor's Web Site: http://www.hintondesign.org
Software: phphg Guestbook
Sowtware's Web Site: http://www.hintondesign.org/downloads/view_cat.php?cat_id=45
Versions: 1.2
Critical Level: Moderate
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched. No reply from developer(s)
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

-----------------Description---------------
1. Authentication Bypass
Vulnerable script: check.php

There are two ways to bypass authentication:

a) SQL Injection
Variable $HTTP_POST_VARS[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query
 by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off

b) Cookie based authentication
check.php script dont make password comparisson when identifying user by cookies


2. Multiple Cross-Site Scripting
Vulnerable script: signed.php
Variables $HTTP_POST_VARS[location] $HTTP_POST_VARS[website] $HTTP_POST_VARS[message] are not properly sanitized. This can be used
 to post arbitrary html or script code.


3. SQL Injections in administrator control panel
Vulnerable scripts:
admin/edit_smilie.php
admin/add_theme.php
admin/ban_ip.php
admin/add_lang
admin/edit_filter

Variable $HTTP_GET_VARS[id] variable isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off

--------------Exploit----------------------
Available at: http://evuln.com/vulns/58/exploit.html

--------------Solution---------------------
No Patch available.

--------------Credit-----------------------
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC