GeheimChaos <= 0.5 Multiple SQL Injection Vulnerabilities

2006.08.15
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: GeheimChaos <= 0.5 Multiple SQL Injection Vulnerabilities Release Date: 2006/08/04 Last Modified: 2006/08/03 Author: Tamriel [tamriel at gmx dot net] Application: GeheimChaos <= 0.5 Risk: Moderate Vendor Status: not contacted Vendor Site: www.chaossoft.de Overview: Quote from www.chaossoft.de: "Sofern Sie einen privaten Bereich in Ihre Homepage einbauen moechten, ist GeheimChaos genau richtig." Details: 1) Multiple SQL Injection Vulnerabilities in gc.php ... arround lines 78-79 $tmpQuery = mysql_query("SELECT * FROM $cfgTabelleUserDaten WHERE username = '$Temp_entered_login'") or die("INSERT ERROR 2"); mysql_query("DELETE FROM $cfgTabelleOnline WHERE username = '$Temp_entered_login'") or die("DELETE Error 3"); Here attackers can use $Temp_entered_login ... arround line 103 $tmpQuery = mysql_query("SELECT * FROM $cfgTabelleUserDaten WHERE email = '$Temp_entered_email'") or die("INSERT ERROR 451"); ... arround line 133 $tmpQuery = mysql_query("SELECT * FROM $cfgTabelleUserDaten WHERE username = '$Temp_entered_login'") or die("INSERT ERROR 2"); This line can be usefull if you want to perform a login bypass ... ... 2) Multiple SQL Injection Vulnerabilities in registieren.php ... arround line 50 mysql_query("UPDATE $cfgTabelleUserDaten SET email = '$form_email', vorname = '$form_vorname', nachname = '$form_nachname', strasse = '$form_strasse', plzort = '$form_plzort', land = '$form_land', homepage = '$form_homepage', status = '$usernochfrei', userpic = '$form_bildpfad', privzeigen = '$form_profilsichtbar', sprache = '$Temp_sprache', geb_tag = '$form_tag', geb_monat = '$form_monat', geb_jahr = '$form_jahr', aktivstr = '$Temp_akt_string', icq = '$form_icq', msn = '$form_msn', yahoo = '$form_yahoo', profcheck = '0' WHERE userid = '$geheimchaos->ID'"); ... arround line 170 $tmpQuery = mysql_query("INSERT INTO $cfgTabelleUserDaten (username,password,email,vorname,nachname,strasse,plzort,land,homepage, geb_tag,geb_monat,geb_jahr,status,aktivstr,passneu,regdatum,letzterbesuc h,besuchanzahl,letzteip,userpic,fehlerhaft,profcheck, privzeigen,sprache,icq,msn,yahoo) VALUES ('$form_username','$Temp_form_pass','$form_email','$form_vorname','$form _nachname', '$form_strasse','$form_plzort','$form_land','$form_homepage','$form_tag' ,'$form_monat','$form_jahr','0','$Temp_akt_string','', '$timestamp','$timestamp','0','$Temp_ip','$form_bildpfad','0','0','$form _profilsichtbar','$Temp_sprache','$form_icq','$form_msn', '$form_yahoo')") or die("INSERT ERROR 99"); ... Here the most variables are not checked by the script. Note: There are much more sql injection vulnerabilities and possible cross site scripting vulnerabilities in this script. Version note: The "NewsletterChaos" and "ForumChaos" script based on this script. Solution: Take a view on PHP's htmlentities and mysql_real_escape_string functions and try to research the code by your own. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFE0oOwqBhP+Twks7oRAtjPAJ9hTR7LYl0TJw2KWlsGuGpkK5aYDQCfTsDL KK8DlnOh/Mcm+Apzgz9jE9U= =5Ilf -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top