[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple Sql injections in phpCoin v1.2.2 and below
From:       dcrab <dcrab () hackerscenter ! com>
Date:       2005-04-28 20:28:14
Message-ID: 20050428202814.19799.qmail () www ! securityfocus ! com
[Download RAW message or body]



Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at \
http://www.digitalparadox.org/services.ah

Severity: High
Title: Multiple Sql injections in phpCoin v1.2.2 and below
Date: 28/04/2005

Vendor: phpCoin
Vendor Website: http://www.phpcoin.com/
Vendor contact status: Contacted 5 days before release of advisory, but no response.
Summary: There are, multiple sql injections in phpcoin v1.2.2 and below.
Refrence: http://digitalparadox.org/viewadvisories.ah?view=36

Proof of Concept Exploits: 

http://docs.localhost/index.php?title=Special%3aSearch&search=(SQL_INJECTION
SQL INJECTION
 A database query syntax error has occurred. This could be because of an illegal \
search query (see Searching PhpCOIN Docs), or it may indicate a bug in the software. \
The last attempted database query was:

    SELECT cur_id,cur_namespace,cur_title,cur_text FROM cur,searchindex WHERE \
cur_id=si_page AND ( ( (MATCH (si_title) AGAINST ('SQL_INJECTION')) ) AND \
cur_namespace IN (0,9,11) LIMIT 0, 20

from within function "SearchEngine::showResults". MySQL returned error "1064: You \
have an error in your SQL syntax near 'LIMIT 0, 20' at line 1".



http://localhost/login.php?w=user&o=login&phpcoinsessid=SQL_INJECTION'
SQL_INJECTION

Unable to execute query: (SELECT * FROM phpcoin_components WHERE comp_name='siteinfo' \
AND comp_mod='SQL_INJECTION\' ORDER BY comp_id ASC). Error returned is: ( : ).
Check the syntax / server connection and and try again.


http://localhost/mod.php?mod=siteinfo&id=SQL_INJECTION'&phpcoinsessid=8d4706204348394afece6b64db3d9b95
 SQL INJECTION

Unable to execute query: (SELECT * FROM phpcoin_components WHERE comp_name='siteinfo' \
AND comp_mod='SQL_INJECTION\' ORDER BY comp_id ASC). Error returned is: ( : ).
Check the syntax / server connection and and try again.


http://localhost/mod.php?mod=pages&mode=list&dtopic_id=SQL_INJECTION'&phpcoinsessid=fa7905a749dbdc698838930de0f99f4b
 SQL INJECTION

Database Error:
Unable to execute query: (SELECT COUNT(*) FROM phpcoin_pages, phpcoin_topics, \
phpcoin_categories WHERE phpcoin_pages.topic_id = phpcoin_topics.topic_id AND \
phpcoin_pages.cat_id = phpcoin_categories.cat_id AND phpcoin_pages.topic_id = \
SQL_INJECTION\ AND phpcoin_pages.pages_admin = 0 AND phpcoin_pages.pages_status = 1). \
Error returned is: ( : ). Check the syntax / server connection and and try again.

Database Error:
Unable to execute query: (SELECT phpcoin_pages.id, phpcoin_pages.subject, \
phpcoin_pages.topic_id, phpcoin_pages.cat_id, phpcoin_pages.time_stamp, \
phpcoin_pages.pages_title, phpcoin_pages.pages_code, phpcoin_pages.pages_block_it, \
phpcoin_pages.pages_status, phpcoin_pages.pages_admin, phpcoin_topics.topic_name, \
phpcoin_categories.cat_name FROM phpcoin_pages, phpcoin_topics, phpcoin_categories \
WHERE phpcoin_pages.topic_id = phpcoin_topics.topic_id AND phpcoin_pages.cat_id = \
phpcoin_categories.cat_id AND phpcoin_pages.topic_id = SQL_INJECTION\ AND \
phpcoin_pages.pages_admin = 0 AND phpcoin_pages.pages_status = 1 ORDER BY time_stamp \
DESC LIMIT 0, 15). Error returned is: ( : ).
Check the syntax / server connection and and try again.


http://localhost/mod.php?mod=pages&mode=list&dcat_id=SQL_INJECTION'&phpcoinsessid=fa7905a749dbdc698838930de0f99f4b
 SQL INJECTION

Database Error:
Unable to execute query: (SELECT COUNT(*) FROM phpcoin_pages, phpcoin_topics, \
phpcoin_categories WHERE phpcoin_pages.topic_id = phpcoin_topics.topic_id AND \
phpcoin_pages.cat_id = phpcoin_categories.cat_id AND phpcoin_pages.cat_id = \
SQL_INJECTION\ AND phpcoin_pages.pages_admin = 0 AND phpcoin_pages.pages_status = 1). \
Error returned is: ( : ). Check the syntax / server connection and and try again.

Database Error:
Unable to execute query: (SELECT phpcoin_pages.id, phpcoin_pages.subject, \
phpcoin_pages.topic_id, phpcoin_pages.cat_id, phpcoin_pages.time_stamp, \
phpcoin_pages.pages_title, phpcoin_pages.pages_code, phpcoin_pages.pages_block_it, \
phpcoin_pages.pages_status, phpcoin_pages.pages_admin, phpcoin_topics.topic_name, \
phpcoin_categories.cat_name FROM phpcoin_pages, phpcoin_topics, phpcoin_categories \
WHERE phpcoin_pages.topic_id = phpcoin_topics.topic_id AND phpcoin_pages.cat_id = \
phpcoin_categories.cat_id AND phpcoin_pages.cat_id = SQL_INJECTION\ AND \
phpcoin_pages.pages_admin = 0 AND phpcoin_pages.pages_status = 1 ORDER BY time_stamp \
DESC LIMIT 0, 15). Error returned is: ( : ).
Check the syntax / server connection and and try again.


Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), \
mysql_real_escape_string() and other functions for input validation before passing \
user input to the mysql database, or before echoing data on the screen, would solve \
these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author: 
These vulnerabilties have been found and released by Diabolic Crab, Email: \
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me \
regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or \
http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding \
with php.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic