Re: phpWebSite 0.10.? (topics.php) Remote SQL Injection Exploit

To: selfar2002@xxxxxxxxxxx
Subject: Re: phpWebSite 0.10.? (topics.php) Remote SQL Injection Exploit
From: Kevin Wilcox <kevin@xxxxxxxxxxxxxxxx>
Date: Thu, 13 Apr 2006 13:44:31 -0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20060412214053.26065.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060412214053.26065.qmail@xxxxxxxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0.7-1.4.1 (X11/20050929)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

selfar2002@xxxxxxxxxxx wrote:
> ---------------------------------------------------------------------------
> phpWebSite <= 0.10.? (topics.php) Remote SQL Injection Exploit
> ---------------------------------------------------------------------------
> Discovered By SnIpEr_SA
> Author    : SnIpEr_SA
> Exploit in Perl : http://www.milw0rm.com/exploits/1525
> Remote  :  Yes  
> Local     :  No  
> Critical Level : Dangerous
> ---------------------------------------------------------------------------
> 
> Affected software description:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Application : phpWebSite
> version     : 0.10.?
> URL         : http://phpwebsite.appstate.edu/
> ... 
> ------------------------------------------------------------------ 
> Exploit:
> ~~~~~~~~ 
> # http://example.com/path/topics.php?op=viewtopic&topic=-1 Union select 
> name,name,pass,name From users where uid=1

<snip>

This is incorrect. 0.10.0-full was the last release to ship with a
topics.php file. The file was part of "convert".

0.10.x-core is NOT affected unless they were updates from earlier
versions. The solution: delete "convert".

0.10.1-full and 0.10.2-full are NOT affected unless the site was an
update from an earlier version. The solution: delete "convert".

For all affected users: as "convert" is meant to be used ONCE to upgrade
from a previous version, the best solution is to delete "convert".

This is also a perfectly acceptable email address to use for vendor
notification (which we greatly appreciate). Parties that notify us still
receive due credit for finding the vulnerability.

kw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEPo367XWNuvsOTiYRAmUIAJ9Gersjuiht91i5RF3q/TB+YFMq5ACeP9aM
c2qgNA+gxN6pzaRfpOwsei8=
=odzh
-----END PGP SIGNATURE-----

References:
- phpWebSite 0.10.? (topics.php) Remote SQL Injection Exploit
  - From: selfar2002

Prev by Date: Re: [Full-disclosure] SEC Consult SA-20060314 :: Opera Browser CSS Attribute Integer Wrap / Buffer Overflow
Next by Date: Re: Re: NETGEAR WGT624 Wireless DSL router default user name/password vulnerability
Previous by thread: phpWebSite 0.10.? (topics.php) Remote SQL Injection Exploit
Next by thread: RevoBoard [email] tag XSS
Index(es):
- Date
- Thread