PHP RPG - Sql Injection and Session Information Disclosure.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHP RPG - Sql Injection and Session Information Disclosure.
From: th3.r00k.nospam@xxxxxxxxxxxxxx
Date: 14 Dec 2007 22:08:05 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

By Michael Brooks
Vulneralbity: Sql Injection and Session Information Disclosure. 
Homepage:http://sourceforge.net/projects/phprpg/
Verison affected 0.8.0

There are two flaws that affect this applcation. A nearly vinnella login bypass 
issues affects phprpg.  If magic_qutoes_gpc=off then this will login an 
attacker as the administrator using this:
username:1'or 1=1 limit 1/*
password:1
Keep in mind that magic_quotes_gpc is being removed in php6!

The second flaw allows an attacker to steal any session registered by phprpg by 
navigating to this directory:
http://localhost/phpRPG-0.8.0/tmp/
This is because phprpg has manually changed the directory using 
session_save_path() which is called in init.php on line 49. 

Peace

Prev by Date: Oreon/Centreon - Multiple Remote File Inclusion
Next by Date: Wordpress - Broken Access Control
Previous by thread: Oreon/Centreon - Multiple Remote File Inclusion
Next by thread: Wordpress - Broken Access Control
Index(es):
- Date
- Thread