Advisory: GeheimChaos <= 0.5 Multiple SQL Injection Vulnerabilities Release Date: 2006/08/04 Last Modified: 2006/08/03 Author: Tamriel [tamriel at gmx dot net] Application: GeheimChaos <= 0.5 Risk: Moderate Vendor Status: not contacted Vendor Site: www.chaossoft.de Overview: Quote from www.chaossoft.de: "Sofern Sie einen privaten Bereich in Ihre Homepage einbauen moechten, ist GeheimChaos genau richtig." Details: 1) Multiple SQL Injection Vulnerabilities in gc.php ... arround lines 78-79 $tmpQuery = mysql_query("SELECT * FROM $cfgTabelleUserDaten WHERE username = '$Temp_entered_login'") or die("INSERT ERROR 2"); mysql_query("DELETE FROM $cfgTabelleOnline WHERE username = '$Temp_entered_login'") or die("DELETE Error 3"); Here attackers can use $Temp_entered_login ... arround line 103 $tmpQuery = mysql_query("SELECT * FROM $cfgTabelleUserDaten WHERE email = '$Temp_entered_email'") or die("INSERT ERROR 451"); ... arround line 133 $tmpQuery = mysql_query("SELECT * FROM $cfgTabelleUserDaten WHERE username = '$Temp_entered_login'") or die("INSERT ERROR 2"); This line can be usefull if you want to perform a login bypass ... ... 2) Multiple SQL Injection Vulnerabilities in registieren.php ... arround line 50 mysql_query("UPDATE $cfgTabelleUserDaten SET email = '$form_email', vorname = '$form_vorname', nachname = '$form_nachname', strasse = '$form_strasse', plzort = '$form_plzort', land = '$form_land', homepage = '$form_homepage', status = '$usernochfrei', userpic = '$form_bildpfad', privzeigen = '$form_profilsichtbar', sprache = '$Temp_sprache', geb_tag = '$form_tag', geb_monat = '$form_monat', geb_jahr = '$form_jahr', aktivstr = '$Temp_akt_string', icq = '$form_icq', msn = '$form_msn', yahoo = '$form_yahoo', profcheck = '0' WHERE userid = '$geheimchaos->ID'"); ... arround line 170 $tmpQuery = mysql_query("INSERT INTO $cfgTabelleUserDaten (username,password,email,vorname,nachname,strasse,plzort,land,homepage, geb_tag,geb_monat,geb_jahr,status,aktivstr,passneu,regdatum,letzterbesuch,besuchanzahl,letzteip,userpic,fehlerhaft,profcheck, privzeigen,sprache,icq,msn,yahoo) VALUES ('$form_username','$Temp_form_pass','$form_email','$form_vorname','$form_nachname', '$form_strasse','$form_plzort','$form_land','$form_homepage','$form_tag','$form_monat','$form_jahr','0','$Temp_akt_string','', '$timestamp','$timestamp','0','$Temp_ip','$form_bildpfad','0','0','$form_profilsichtbar','$Temp_sprache','$form_icq','$form_msn', '$form_yahoo')") or die("INSERT ERROR 99"); ... Here the most variables are not checked by the script. Note: There are much more sql injection vulnerabilities and possible cross site scripting vulnerabilities in this script. Version note: The "NewsletterChaos" and "ForumChaos" script based on this script. Solution: Take a view on PHP's htmlentities and mysql_real_escape_string functions and try to research the code by your own.