[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    PHP RPG - Sql Injection and Session Information Disclosure.
From:       th3.r00k.nospam () pork ! gmail ! com
Date:       2007-12-14 22:08:05
Message-ID: 20071214220805.12414.qmail () securityfocus ! com
[Download RAW message or body]

By Michael Brooks
Vulneralbity: Sql Injection and Session Information Disclosure. 
Homepage:http://sourceforge.net/projects/phprpg/
Verison affected 0.8.0

There are two flaws that affect this applcation. A nearly vinnella login bypass \
issues affects phprpg.  If magic_qutoes_gpc=off then this will login an attacker as \
the administrator using this: username:1'or 1=1 limit 1/*
password:1
Keep in mind that magic_quotes_gpc is being removed in php6!

The second flaw allows an attacker to steal any session registered by phprpg by \
navigating to this directory: http://localhost/phpRPG-0.8.0/tmp/
This is because phprpg has manually changed the directory using session_save_path() \
which is called in init.php on line 49. 

Peace


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic