PHPKIT include.php Session ID SQL Injection

2005-11-07T11:27:18
ID OSVDB:20561
Type osvdb
Reporter Stefan Walk(), Johann-Peter Hartmann(hartmann@freecharts.de), Christopher Kunz(christopher.kunz@hardened-php.net), Stefan Esser(sesser@hardened-php.net)
Modified 2005-11-07T11:27:18

Description

Vulnerability Description

PHPKIT contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the include.php script not properly sanitizing user-supplied input to the Session ID field. This may allow an attacker to inject or manipulate SQL queries, or delete arbitrary data rows from the backend database.

Technical Description

This vulnerability is only present when the magic_quotes_gpc PHP option is 'off'.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

PHPKIT contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the include.php script not properly sanitizing user-supplied input to the Session ID field. This may allow an attacker to inject or manipulate SQL queries, or delete arbitrary data rows from the backend database.

Manual Testing Notes

http://target/include.php?path=login/userinfo.php&id='%20UNION%20SELECT%201,1,user_pw,1,1,1,1,1,1,1,1,1,1,1,1,user_pw,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20FROM%20phpkit_user%20where%20%20user_id=1%20and%20'1'='1

References:

Security Tracker: 1015167 Secunia Advisory ID:17479 Related OSVDB ID: 20556 Related OSVDB ID: 20559 Related OSVDB ID: 20560 Related OSVDB ID: 20562 Related OSVDB ID: 20553 Related OSVDB ID: 20554 Related OSVDB ID: 20558 Related OSVDB ID: 20563 Related OSVDB ID: 20555 Related OSVDB ID: 20557 Other Advisory URL: http://www.hardened-php.net/advisory_212005.80.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0182.html FrSIRT Advisory: ADV-2005-2344 CVE-2005-3553 Bugtraq ID: 15354