phpmyfamily people.php person Parameter SQL Injection

2005-03-21T00:00:00
ID OSVDB:14908
Type osvdb
Reporter kre0n(adz.kreon@gmail.com)
Modified 2005-03-21T00:00:00

Description

Vulnerability Description

phpmyfamily contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'person' parameter in the 'people.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 1.4.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpmyfamily contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'person' parameter in the 'people.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.

Manual Testing Notes

http://[victim]/[path]/people.php?person=00002' %20UNION%20SELECT%20NULL,password,NULL,username,NULL,NULL,NULL,NULL,NUL L,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20family_users%20%20WH ERE%20admin='Y'%20LIMIT%201,1/*

References:

Vendor URL: http://www.phpmyfamily.net/ Security Tracker: 1013493 Secunia Advisory ID:14642 Related OSVDB ID: 14911 Related OSVDB ID: 14913 Related OSVDB ID: 14909 Related OSVDB ID: 14910 Related OSVDB ID: 14912 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0358.html ISS X-Force ID: 19787 CVE-2005-0841 Bugtraq ID: 12860