NPDS pollcomments.php thold Variable SQL Injection

2005-05-15T07:11:07
ID OSVDB:16649
Type osvdb
Reporter NoSP(NoSP@thehackademy.net), Romano(romano_45@hotmail.com), Benji Lemien(benjilenoob@hotmail.com)
Modified 2005-05-15T07:11:07

Description

Vulnerability Description

NPDS contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the thold variable in the pollcomments.php script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

Technical Description

To patch ndps: 1. download and unzip url_protect.zip 2. place url_protect.php in the modules/include directory 3. modify mainfile.php to include url_protect.php include("grab_globals.php"); include("modules/include/url_protect.php"); include("config.php");

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, ndps.org has released a patch to address this vulnerability.

Short Description

NPDS contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the thold variable in the pollcomments.php script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

Manual Testing Notes

http://[target]/npds/pollcomments.php?thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,aid,pwd,0,0%20FROM %20authors

http://[target]/npds/pollcomments.php?op=results&pollID=2&mode=&order=&thold=0%20UNION%20SELECT%200,0,0,0,0,0,0,0,uname,pass,0,0%20FROM%20u

References:

Vendor URL: http://www.npds.org/ Vendor Specific Solution URL: http://www.npds.org/download.php?op=mydown&did=114 Vendor Specific News/Changelog Entry: http://www.npds.org/article.php?sid=1262 Security Tracker: 1013973 Secunia Advisory ID:15385 Related OSVDB ID: 16648 Related OSVDB ID: 16650 ISS X-Force ID: 20636 CVE-2005-1637 Bugtraq ID: 13649