Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: etc :: web5118.htm

pforum - mysql injection bug
20th Feb 2002 [SBWID-5118]

	mysql injection bug


	Version: 1.14 and maybe all versions before


	ppp-design [] found following :

	pforum is a www-board system using php and mysql.  Although  the  author
	seems to try to eliminate malicious code  (eg.  unwanted  html-code)  in
	the inputs, he relies on php Magic-Quotes for  adding  slashes  to  some
	user input. Therefore it is possible to use an  sql-injection-attack  to
	log in as admin or user without having the correct password.


	If the affected webserver has not  enabled  php\'s  magic_quotes_gpc  in
	the php.ini, it is possible to login as any user,  admin  or  moderator.
	So you can eg. delete even complete boards. Because  the  admin  of  the
	board may have no access to php.ini of the webserver,  he  maybe  cannot
	fix the bug easily on his own. Not only the login page is affected,  the
	changepassword form (and maybe some other forms) are suffering the  same
	sql-injection bug, too.


	Without having  Magic-Quoted  enabled,  just  login  with  the  username
	\"admin\' OR username=\'admin\". If the user admin is an existing  user,
	you are logged in without the propper pass. If  the  user  admin  is  an
	administrator, you have all administrator privileges on the  board.  The
	same concept works for the changing password  form.  In  case  you  have
	forgotten your password you  get  a  id  via  mail  to  your  registered
	emailaddress, so you can change your password to a  new  one.  Here  you
	have  to  use  changepass.php  and  enter  your  id  like   \"123\'   or
	\'a\'=\'a\" to change your password to any desired one.






	Enable magic_quotes_gpc in your php.ini.

	Patch will be available soon.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH