PHP Support Tickets 1.3 SQL Injection

2016.10.31
Credit: N_A
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

PHP_S_Tickets_v1.3 SQL Injection Vulnerabilty ================================================ Discovered by N_A, N_A[at]tutanota.com ======================================= Description ============ PHP Support Tickets; will allow a webmaster the ability to offer its user base a means to contact its personnel through request vouchers. https://sourceforge.net/projects/php-sup-tickets Vulnerability ============== An SQL Injection vulnerability exists that allows unsanitized commands to be passed into the MYSQL database. The vulnerability resides inside the index.php and the config.php file: index.php: =========== ############ AUTH SYSTEM ############ A IF (isset($_POST['form']) && isset($_POST['username']) && isset($_POST['password'])) A A A { A A A IF (AuthUser($_REQUEST['username'], $_REQUEST['password'])) unsanitized requests are handled by the function AuthUser which is located inside config.php: config.php: =========== Function AuthUser($user, $pass) A A A { A A A $query = "A A A SELECT tickets_users_password A A A A A A A A A FROM tickets_users A A A A A A A A A WHERE tickets_users_username = '$user' A A A A A A A A A AND tickets_users_status != '0'"; A A A A $result = @mysql_query($query); The variable $user is passed to the MYSQL query completely unchecked and unsanitized and it is possible for command injection to take place here. Email ====== N_A[at]tutanota.com -- Securely sent with Tutanota. Claim your encrypted mailbox today! https://tutanota.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top