Vulners
Lucene search
EV0058.txt
🗓️ 13 Feb 2006 00:00:00Reported by Aliaksandr HartsuyeuType 
packetstorm🔗 packetstormsecurity.com👁 43 Views
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | CVE-2006-0602 | 8 Feb 200623:00 | – | cve |
| CVE-2006-0603 | 8 Feb 200623:00 | – | cve |
| CVE-2006-0604 | 8 Feb 200623:00 | – | cve |
 | CVE-2006-0602 | 8 Feb 200623:00 | – | cvelist |
| CVE-2006-0603 | 8 Feb 200623:00 | – | cvelist |
| CVE-2006-0604 | 8 Feb 200623:00 | – | cvelist |
 | EUVD-2006-0609 | 7 Oct 202500:30 | – | euvd |
| EUVD-2006-0610 | 7 Oct 202500:30 | – | euvd |
| EUVD-2006-0611 | 7 Oct 202500:30 | – | euvd |
 | CVE-2006-0602 | 8 Feb 200623:02 | – | nvd |
10
`New eVuln Advisory:
phphg Guestbook Multiple Vulnerabilities
http://evuln.com/vulns/58/summary.html
--------------------Summary----------------
eVuln ID: EV0058
CVE: CVE-2006-0602 CVE-2006-0603 CVE-2006-0604
Vendor: Hinton Design
Vendor's Web Site: http://www.hintondesign.org
Software: phphg Guestbook
Sowtware's Web Site: http://www.hintondesign.org/downloads/view_cat.php?cat_id=45
Versions: 1.2
Critical Level: Moderate
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched. No reply from developer(s)
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
-----------------Description---------------
1. Authentication Bypass
Vulnerable script: check.php
There are two ways to bypass authentication:
a) SQL Injection
Variable $HTTP_POST_VARS[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off
b) Cookie based authentication
check.php script dont make password comparisson when identifying user by cookies
2. Multiple Cross-Site Scripting
Vulnerable script: signed.php
Variables $HTTP_POST_VARS[location] $HTTP_POST_VARS[website] $HTTP_POST_VARS[message] are not properly sanitized. This can be used to post arbitrary html or script code.
3. SQL Injections in administrator control panel
Vulnerable scripts:
admin/edit_smilie.php
admin/add_theme.php
admin/ban_ip.php
admin/add_lang
admin/edit_filter
Variable $HTTP_GET_VARS[id] variable isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off
--------------Exploit----------------------
Available at: http://evuln.com/vulns/58/exploit.html
1. Authentication Bypass
a) SQL Injection
url: http://host/hg/admin.php
Username: ' or 1/*
Password: any
b) Cookie based authentication
Cookie: loged=yes
Cookie: username=admin
Cookie: user_level=1
2. Cross-Site Scripting Example.
Url: http://host/hg/sign.php
Location: <XSS>
Website: javascript:alert(123)
Message: <XSS>
3. SQL Injection Example:
http://host/hg/admin/edit_smilie.php? id=333'% 20union%20select% 201,2,3,4/*
--------------Solution---------------------
No Patch available.
--------------Credit-----------------------
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Feb 2006 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.01721