-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: CounterChaos <= 0.48c SQL Injection Vulnerability Release Date: 2006/08/04 Last Modified: 2006/08/03 Author: Tamriel [tamriel at gmx dot net] Application: CounterChaos <= 0.48c Risk: Moderate Vendor Status: not contacted Vendor Site: www.chaossoft.de Overview: Quote from www.chaossoft.de: "CounterChaos ist ein flexibler Onlinecounter fuer Ihre Homepage. Er ist klein und kompakt in PHP geschrieben und benutzt eine mySQL-Datenbank, um die Daten abzuspeichern." Details: SQL Injection Vulnerabilities in counterchaos.php (arround line 35-45) ... $referer= $_SERVER["HTTP_REFERER"]; $referer=strtolower($referer); ... // Ohne www auch nicht gefunden => im Original speichern mysql_query("INSERT INTO $tabellerefi SET monat='$akt_monat', jahr='$akt_jahr', refi='$referer', treffer='1'") or die(mysql_error()); } ... Here an attacker can fake his http referer and so inject his own sql queries (magic quotes must be off). Solution: Take a view on PHP's ysql_real_escape_string function. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFE0oOZqBhP+Twks7oRAmN9AJ9u9URtocwWhMN0kQsje+7BqVSqnwCfabUw GnCv00gAbRXLTmgDXdwF2CA= =emSG -----END PGP SIGNATURE-----