[Powie's PSCRIPT Forum] Multiple SQL-Injection Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Powie's PSCRIPT Forum] Multiple SQL-Injection Vulnerabilities
From: Christoph Jeschke <ponders@xxxxxxxx>
Date: Fri, 15 Oct 2004 21:52:59 +0200
Cc: te@xxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: KMail/1.6.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple SQL-Injection Vulnerabilities
in
Powie's PSCRIPT Forum

Summary
Product         Powie's PSCRIPT Forum
Version         <= 1.26
OS affected All with PHP and mySQL
Remote Exploit Yes
Risk Lvl        Medium High
Vendor          Thomas 'Powie' Erhardt
                http://www.pscript.de/
  Informed since 2002-02, workaround still available
See also        Jens Liebchen
                Sat Feb 16 2002 - 14:22:59 CST
                
<http://www.ppp-design.de/advisories_show.php?adv=pforum__mysql-injection_bug.txt>

Jens Liebchen discovered in February 2002 multiple SQL Injection 
Vulnerabilities in the Pscript Forum. After more then 2.5 Years, the 
Vulnerabilities are still existing. The Vendor didn't fix the 
Vulnerabilities in a proper manner and ignored the Advisory completely.

I discovered SQL Injection Vulnerabilities with medium high security risks
in the following files:
    * logincheck.php
    * changepass.php
    * edituser.php

Workaround
The Vulnerabilites are rated medium high, because most hoster activate 
magic_quotes_gpc in the php.ini, so that g(et), p(ost) and c(ookie) data 
are filtered. If magic_quotes_gpc is deactived, it is very easy to become 
administrator or any other user. But many user are not allowed to change 
php.ini, especially in mass hosting environments (where the Pscript Forum 
is mostly used).

Kudos to Jens Liebchen,
Christoph Jeschke

- -- 
The sky about the port was the color of television,
tuned to a death channel.  .o.
 -- William Gibson, Neuromancer,        ..o 
    Chiba City Blues               ooo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQIVAwUBQXAqnhTgMjDbDRRWAQJPHBAAtAzSs9JjbqaeI91EwDIMBxeIwf4/hNCd
GlRRdEcGciF3uCDfhFG7BwC5L9Y+ZfdlLfbqgd79ZokBUUrZhJYNEIbmFn0v5qs9
Ap5lIx0DyR+6BHYq94sV2jG9cEh2N3dOMMlQx7ozE0V7NZs/usRkjZRGeFMLNE6A
wdLoQK5+uNTFMWacV2IeoMojJahwvZh7mokrQbs92lguj+7n7luSWov/QsSJx0tD
//VTfKvW3ENSD2OrBsDj6ERiGSLyZaLsBMJNp+R6GJhqRfcy1zjyNC9slPfZH33A
0A/GCNOmNGwAWKEaQhzfpSGm78gPP/6tHvy0OxaVfSZah6pzMeUUh+IO/VHdGUW8
9JxYG1p1mxO2yfOVSI8ZQgI53pX1nzio3Tzw97RzE8DbKHiYxZTbZKo4fWNfI+iQ
touZclUdeeLqTo85PTHU4CBCJcttR8aNeckhQYtxrLzcjdr5ekePPof7MLCZi8xC
mzXgiPE0Y8p+hEvTdWYQJ0dfHkPqiO8s8y+13d4RtLFcE3ElnsLPnVhNZgeZZxzs
+91hcLv/Zty8J+Y51qUy0Am84Ca4hKk6fxFnRnrHPxxtIRO5lMeNS7NsDVvY/SXB
kkL9AHuFOYN2wQWMfgKCh1NBBfDmekH+CYaI9FsbJY4iTrG9EPZ9H/4zcNRcqpuG
/7buug6lImY=
=sgP1
-----END PGP SIGNATURE-----

Prev by Date: Re: EEYE: Windows VDM #UD Local Privilege Escalation
Next by Date: Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) in computed field/text, allowing XSS
Previous by thread: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) in computed field/text, allowing XSS
Next by thread: Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) in computed field/text, allowing XSS
Index(es):
- Date
- Thread