Exploitalert - Database of Exploits

GeheimChaos <= 0.5 Multiple SQL Injection Vulnerabilities

CVE	Category	Price	Severity
	CWE-89	Not specified	High

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2006-08-15

CVSS	EPSS	EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

http://cxsecurity.com/ascii/WLB-2006080085

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: GeheimChaos <= 0.5 Multiple SQL Injection Vulnerabilities Release Date: 2006/08/04 Last Modified: 2006/08/03 Author: Tamriel [tamriel at gmx dot net] Application: GeheimChaos <= 0.5 Risk: Moderate Vendor Status: not contacted Vendor Site: www.chaossoft.de Overview: Quote from www.chaossoft.de: "Sofern Sie einen privaten Bereich in Ihre Homepage einbauen moechten, ist GeheimChaos genau richtig." Details: 1) Multiple SQL Injection Vulnerabilities in gc.php ... arround lines 78-79 $tmpQuery = mysql_query("SELECT * FROM $cfgTabelleUserDaten WHERE username = '$Temp_entered_login'") or die("INSERT ERROR 2"); mysql_query("DELETE FROM $cfgTabelleOnline WHERE username = '$Temp_entered_login'") or die("DELETE Error 3"); Here attackers can use $Temp_entered_login ... arround line 103 $tmpQuery = mysql_query("SELECT * FROM $cfgTabelleUserDaten WHERE email = '$Temp_entered_email'") or die("INSERT ERROR 451"); ... arround line 133 $tmpQuery = mysql_query("SELECT * FROM $cfgTabelleUserDaten WHERE username = '$Temp_entered_login'") or die("INSERT ERROR 2"); This line can be usefull if you want to perform a login bypass ... ... 2) Multiple SQL Injection Vulnerabilities in registieren.php ... arround line 50 mysql_query("UPDATE $cfgTabelleUserDaten SET email = '$form_email', vorname = '$form_vorname', nachname = '$form_nachname', strasse = '$form_strasse', plzort = '$form_plzort', land = '$form_land', homepage = '$form_homepage', status = '$usernochfrei', userpic = '$form_bildpfad', privzeigen = '$form_profilsichtbar', sprache = '$Temp_sprache', geb_tag = '$form_tag', geb_monat = '$form_monat', geb_jahr = '$form_jahr', aktivstr = '$Temp_akt_string', icq = '$form_icq', msn = '$form_msn', yahoo = '$form_yahoo', profcheck = '0' WHERE userid = '$geheimchaos->ID'"); ... arround line 170 $tmpQuery = mysql_query("INSERT INTO $cfgTabelleUserDaten (username,password,email,vorname,nachname,strasse,plzort,land,homepage, geb_tag,geb_monat,geb_jahr,status,aktivstr,passneu,regdatum,letzterbesuc h,besuchanzahl,letzteip,userpic,fehlerhaft,profcheck, privzeigen,sprache,icq,msn,yahoo) VALUES ('$form_username','$Temp_form_pass','$form_email','$form_vorname','$form _nachname', '$form_strasse','$form_plzort','$form_land','$form_homepage','$form_tag' ,'$form_monat','$form_jahr','0','$Temp_akt_string','', '$timestamp','$timestamp','0','$Temp_ip','$form_bildpfad','0','0','$form _profilsichtbar','$Temp_sprache','$form_icq','$form_msn', '$form_yahoo')") or die("INSERT ERROR 99"); ... Here the most variables are not checked by the script. Note: There are much more sql injection vulnerabilities and possible cross site scripting vulnerabilities in this script. Version note: The "NewsletterChaos" and "ForumChaos" script based on this script. Solution: Take a view on PHP's htmlentities and mysql_real_escape_string functions and try to research the code by your own. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFE0oOwqBhP+Twks7oRAtjPAJ9hTR7LYl0TJw2KWlsGuGpkK5aYDQCfTsDL KK8DlnOh/Mcm+Apzgz9jE9U= =5Ilf -----END PGP SIGNATURE-----

Impressum