PHPClassifieds.txt

2006-02-14T00:00:00
ID PACKETSTORM:43859
Type packetstorm
Reporter Audun Larsen
Modified 2006-02-14T00:00:00

Description

                                        
                                            `---------------------------------------------------------------------------  
SQL injection in PHP Classifieds 6.20  
---------------------------------------------------------------------------  
Author: Audun Larsen (audun dot larsen at lkonsult dot no)  
Date: February 14, 2006  
  
Affected software:  
==================  
Name: PHP Classifieds  
URL: http://www.deltascripts.com/phpclassifieds  
Version: 6.20 (older versions not tested)  
Released: December 10, 2006  
  
Vendors description:  
====================  
PHP Classifieds is one of the most customizable Classified ad program that  
exist for PHP and MySql.  
  
  
Discussion:  
===========  
In member_login.php the POST data is only escaped using htmlspecialchars(),  
wich fails to remove SQL specific characters. This enables an attacker to  
login using only the e-mail address of a valid user. No password required.  
  
Exploit:  
========  
To login without a password you need a valid users e-mail address (often   
displayed in a users profile). In the E-mail address field enter:  
  
some@mail.com' -- '  
  
  
Tested with:  
============  
Apache 2.0.55 (running on windows xp)  
PHP Classifieds 6.20 Released 10.12.2005  
PHP 5.0.5.5 (magic_quotes_gpc = Off)  
  
Solution:  
=========  
Vendor notified February 13, 2005.  
Reported fixed by vendor February 14,2005.  
  
Disclaimer:  
===========  
The information in this advisory and any of its demonstrations is provided "as is" without  
warranty of any kind.  
  
Copyright © 2006 Audun Larsen  
`