PHP pro bid v 6.04 SQL injection

2009.02.05
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

Affected software: PHP pro bid v 6.04 (as at 2008-09-11) Vendor description: The Leading Proffessional (sic) Auction Script Software available online today written in PHP/ Mysql Impact: SQL injection Description: categories.php and other pages of php pro bid accept user-supplied order-by and ASC/DESC fields. The software prints helpful messages too: SQL Query: SELECT a.auction_id, a.name, a.start_price, a.max_bid, a.nb_bids, a.currency, a.end_time, a.closed, a.bold, a.hl, a.buyout_price, a.is_offer, a.reserve_price, a.owner_id FROM probid_auctions a WHERE a.active=1 AND a.approved=1 AND a.closed=0 AND a.deleted=0 AND a.list_in!='store' AND a.creation_in_progress=0 GROUP BY a.auction_id ORDER BY (select 1)x LIMIT 0, 20 Leveraging an admin user name and password is left as an exercise to the reader. Demo: http://example.com/phpprobidlocation/categories.php?start=0&limit=20&par ent_id=669&keywords_cat_search=&buyout_price=&reserve_price=&quantity=&e nable_swap=&order_field=(select%201)x&order_type=%20 Solution: - Don't let junior programmers add sort-by column features. The original design was much nicer than the later hacks. - If you fix a bug (for example, in search.php), take the trouble to look for equivalent bugs in other pages. Did I mention that the bug is on another page too? Not? Oh well. Timeline: - Posted this as a comment on the vendor contact-us web form last week. - Sent this to bugtraq this week (yesterday) - Bugtraq said post not exploits against live sites - URL of vendor demo site duly censored, in the interests of full disclosure

Referencje:

http://www.securityfocus.com/bid/31263
http://www.securityfocus.com/archive/1/archive/1/496533/100/0/threaded
http://secunia.com/advisories/31981


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top