paFileDB Input Validation Flaws Let Remote Users Inject SQL Commands to Be Executed on the Database Server
|
|
SecurityTracker Alert ID: 1006369 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 24 2003
|
Impact: Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): paFileDB 3.0 Final, 3.0 Beta 3.1, 3.1 Final
|
Description: Several vulnerabilities were reported in the paFileDB file management script. A remote user can submit modified ratings and can inject SQL commands to be executed by the underlying SQL server.
Flurnet Security reported that several variables are not properly filtered, allowing a remote user to conduct various attacks against
the system.
A remote user can submit a random 'id' variable to submit an unlimited number of file ratings. A demonstration exploit
URL is provided:
http://target/pafiledb/pafiledb.php?action=rate&id=1[RANDOM]&rate=dorate&rating=10
A remote user can submit
a modified value for the 'rating' variable to submit ratings outside of the normal 0 - 10 rating range. A demonstration exploit
URL to submit an excessively high rating of "1000" is provided:
http://target/pafiledb/pafiledb.php?action=rate&id=1&rate=dorate&rating=1000
Similarly,
a remote user can drive a file's rating down by sumbitting a negative number for the 'rating' variable.
Both the 'id' and the
'rating' tag are not properly filtered to remove SQL escape characters, according to the report. A remote user can submit a specially
crafted value to cause an arbitrary SQL command to be executed on the underlying SQL database server.
The vendor has reportedly
been notified.
|
Impact: A remote user can submit out-of-range rating values and can submit an unlimited amount of rating submissions. A remote user can also inject SQL commands to be executed by the underlying database server.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.phparena.net/pafiledb/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: flur <flur@flurnet.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 24 Mar 2003 10:57:56 -0500
From: flur <flur@flurnet.org>
Subject: [Full-Disclosure] paFileDB 3.x SQL Injection Vulnerability
|
Flurnet Security
----------------
paFileDB by todd@phparena.net
PHP Arena http://www.phparena.net
Tested on:
paFileDB 3.0 Final
paFileDB 3.0 Beta 3.1
paFileDB 3.1 Final
Explanation:
paFileDB is a file management script that supports user file rating. It
uses an SQL database backend. Multiple vulnerabilities exist due to the
lack of checked input variables. The following exploits exist:
- Modified 'id' tag allows users to submit unlimited ratings.
- Hand-edited 'rating' tag allows users to submit ratings above 10 or
below 0.
- Both tags do not check for escape characters and will allow SQL injection.
Proof-Of-Concept Exploits:
http://target/pafiledb/pafiledb.php?action=rate&id=1[RANDOM]&rate=dorate&rating=10
Replace [RANDOM] with a random short string and the script will not be stop
you from voting as many times as you like.
http://target/pafiledb/pafiledb.php?action=rate&id=1&rate=dorate&rating=1000
Submit file rating of 1000 out of 10. Drive rate up. Conversely, -1000
would have the opposite effect driving the rating down.
http://target/pafiledb/pafiledb.php?action=rate&id=1&rate=dorate&rating=`
http://target/pafiledb/pafiledb.php?action=rate&id=`&rate=dorate&rating=10
SQL Injection vulnerability (exploit code not included)
Script authors have been notified.
____________________ __ _
~FluRDoInG flur@flurnet.org
http://www.flurnet.org
KEY ID 0x8C2C37C4 (pgp.mit.edu) RSA-CAST 2048/2048
1876 B762 F909 91EB 0C02 C06B 83FF E6C5 8C2C 37C4
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
