CounterChaos versions 0.48c and below suffer from a SQL injection vulnerability.
7d22c6f0743733ece01d752fb837aec0ec18480e46924e68f4564af01f6cfba0
Advisory: CounterChaos <= 0.48c SQL Injection Vulnerability
Release Date: 2006/08/04
Last Modified: 2006/08/03
Author: Tamriel [tamriel at gmx dot net]
Application: CounterChaos <= 0.48c
Risk: Moderate
Vendor Status: not contacted
Vendor Site: www.chaossoft.de
Overview:
Quote from www.chaossoft.de:
"CounterChaos ist ein flexibler Onlinecounter fuer Ihre Homepage.
Er ist klein und kompakt in PHP geschrieben und benutzt eine
mySQL-Datenbank, um die Daten abzuspeichern."
Details:
SQL Injection Vulnerabilities in counterchaos.php
(arround line 35-45)
...
$referer= $_SERVER["HTTP_REFERER"];
$referer=strtolower($referer);
...
// Ohne www auch nicht gefunden => im Original speichern
mysql_query("INSERT INTO $tabellerefi SET monat='$akt_monat', jahr='$akt_jahr',
refi='$referer', treffer='1'") or die(mysql_error());
}
...
Here an attacker can fake his http referer and so inject his own
sql queries (magic quotes must be off).
Solution:
Take a view on PHP's ysql_real_escape_string function.