-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory: GeheimChaos <= 0.5 Multiple SQL Injection Vulnerabilities
Release Date: 2006/08/04
Last Modified: 2006/08/03
Author: Tamriel [tamriel at gmx dot net]
Application: GeheimChaos <= 0.5
Risk: Moderate
Vendor Status: not contacted
Vendor Site: www.chaossoft.de
Overview:
Quote from www.chaossoft.de:
"Sofern Sie einen privaten Bereich in Ihre Homepage einbauen
moechten, ist GeheimChaos genau richtig."
Details:
1) Multiple SQL Injection Vulnerabilities in gc.php
...
arround lines 78-79
$tmpQuery = mysql_query("SELECT * FROM $cfgTabelleUserDaten
WHERE username = '$Temp_entered_login'") or die("INSERT ERROR 2");
mysql_query("DELETE FROM $cfgTabelleOnline WHERE username =
'$Temp_entered_login'") or die("DELETE Error 3");
Here attackers can use $Temp_entered_login
...
arround line 103
$tmpQuery = mysql_query("SELECT * FROM $cfgTabelleUserDaten
WHERE email = '$Temp_entered_email'") or die("INSERT ERROR 451");
...
arround line 133
$tmpQuery = mysql_query("SELECT * FROM $cfgTabelleUserDaten
WHERE username = '$Temp_entered_login'") or die("INSERT ERROR 2");
This line can be usefull if you want to perform a login bypass ...
...
2) Multiple SQL Injection Vulnerabilities in registieren.php
...
arround line 50
mysql_query("UPDATE $cfgTabelleUserDaten SET email =
'$form_email', vorname = '$form_vorname', nachname = '$form_nachname',
strasse = '$form_strasse', plzort = '$form_plzort', land =
'$form_land', homepage = '$form_homepage', status = '$usernochfrei',
userpic = '$form_bildpfad', privzeigen = '$form_profilsichtbar',
sprache = '$Temp_sprache', geb_tag = '$form_tag',
geb_monat = '$form_monat', geb_jahr = '$form_jahr', aktivstr =
'$Temp_akt_string', icq = '$form_icq', msn = '$form_msn',
yahoo = '$form_yahoo', profcheck = '0' WHERE userid =
'$geheimchaos->ID'");
...
arround line 170
$tmpQuery = mysql_query("INSERT INTO $cfgTabelleUserDaten
(username,password,email,vorname,nachname,strasse,plzort,land,homepage,
geb_tag,geb_monat,geb_jahr,status,aktivstr,passneu,regdatum,letzterbesuc
h,besuchanzahl,letzteip,userpic,fehlerhaft,profcheck,
privzeigen,sprache,icq,msn,yahoo) VALUES
('$form_username','$Temp_form_pass','$form_email','$form_vorname','$form
_nachname',
'$form_strasse','$form_plzort','$form_land','$form_homepage','$form_tag'
,'$form_monat','$form_jahr','0','$Temp_akt_string','',
'$timestamp','$timestamp','0','$Temp_ip','$form_bildpfad','0','0','$form
_profilsichtbar','$Temp_sprache','$form_icq','$form_msn',
'$form_yahoo')") or die("INSERT ERROR 99");
...
Here the most variables are not checked by the script.
Note:
There are much more sql injection vulnerabilities and possible
cross site scripting vulnerabilities in this script.
Version note:
The "NewsletterChaos" and "ForumChaos" script based on this script.
Solution:
Take a view on PHP's htmlentities and mysql_real_escape_string
functions and try to research the code by your own.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
iD8DBQFE0oOwqBhP+Twks7oRAtjPAJ9hTR7LYl0TJw2KWlsGuGpkK5aYDQCfTsDL
KK8DlnOh/Mcm+Apzgz9jE9U=
=5Ilf
-----END PGP SIGNATURE-----
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum