[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: ChurchInfo Multiple Vulnerabilities
From: thegreatone2176 () yahoo ! com
Date: 2005-08-01 15:04:52
Message-ID: 20050801150452.27456.qmail () securityfocus ! com
[Download RAW message or body]
----------------------------------
ChurchInfo Multiple Vulnerabilities
----------------------------------
ChurchInfo is affected by mutliple path disclosures and sql injections.
Vulnerabilties
--------------
1) The "PersonID" parameter on the following pages are vulnerable to sql injection \
and path disclosure.
PersonView.php
MemberRoleChange.php
PropertyAssign.php
WhyCameEditor.php
GroupPropsEditor.php
Reports/PDFLabel.php
UserDelete.php - First page gives path disclosure, then when you click yes you have \
sql injection
2) When an invalid "Number" parameter only the following pages is given a divide by \
zero error is produced resulting in path disclosure.
SelectList.php
SelectDelete.php
3) The "DepositSlipID" parameter on the following page is vulnerable to sql injection \
and path disclosure.
DepositSlipEditor.php
3) The "QueryID" parameter on the following page is vulnerable to sql injection and \
path disclosure.
QueryView.php
Also specific ids are vulnerable to sql injection.
QueryID?id=18 The search box is vulnerable to sql injection.
QueryID?id=19 An sql injection can be performed by editing the html source of the \
form.
There is about 5 more forms in this section where you can potenially edit the form, \
and inject but I did not test each one so I did not list them.
4) The "GroupID" parameter on the following pages are vulnerable to sql injection and \
path disclosure.
GroupView.php
GroupMemberList.php
MemberRoleChange.php
GroupDelete.php
/Reports/ClassAttendance.php
/Reports/GroupReport.php
5) The "GroupID" parameter on the following pages produces path disclosure when \
invalid input is given.
GroupPropsFormRowOps.php
/Reports/ClassAttendance.php
/Reports/ClassList.php
ConfirmLabels.php
/DirectoryReport.php
/Reports/NewsLetterLabels.php
6) The "PropertyID" parameter on the following page is vulnerable to sql injection \
and path disclosure.
PropertyEditor.php
7) The "FamilyID" parameter on the following pages are vulnerable to sql injection \
and path disclosure.
Canvas05Editor.php
CanvasEditor.php
FamilyView.php
8) The "PledgeID" parameter on the following pages are vulnerable to sql injection \
and path disclosure.
PledgeDetails.php
Misc
Many of the pages produced extract() errors when bogus input was fed leading to path \
disclosure. A few pages also produced path disclosures when directly accessed. Also \
some pages when directly accessed gave an sql error about an empty parameter, but \
were not exploitable when the parameter was given. Since this is an open source \
product you can simply view the queries from the source, but if it was closed source \
this could help to determine table structure and queries.
Solution
--------
Properly cleansing user input before processing would eliminate all these errors.
Credit
------
thegreatone2176
Greets
------
Elohimus and pureone
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic