wsportal-sql.txt

2007-06-19T00:00:00
ID PACKETSTORM:57214
Type packetstorm
Reporter Jesper Jurcenoks
Modified 2007-06-19T00:00:00

Description

                                        
                                            `netVigilance Security Advisory #33  
WSPortal version 1.0 SQL Injection Vulnerability   
Description:  
WSPortal is a site management system coded in PHP/MySQL. It is capable of adding pages, adding news to pages, adding images to news articles, alerting the  
site or a specific ip address, private messaging system between administrators.  
Successful exploitation requires PHP magic_quotes_gpc set to Off.  
Advisory URL:   
http://www.netvigilance.com/advisory0033  
External References:   
Mitre CVE: CVE-2007-3128  
NVD NIST: CVE-2007-3128  
OSVDB: 34164  
Summary:   
WSPortal is a site management system coded in PHP/MySQL.   
A security problem in the product allows attackers to commit SQL injection.  
Release Date:  
06/17/2007  
  
Severity:  
Risk: High  
  
CVSS Metrics  
Access Vector: Remote  
Access Complexity: High  
Authentication: Not-required  
Confidentiality Impact: Complete  
Integrity Impact: Partial  
Availability Impact: Partial  
Impact Bias: Confidentiality  
CVSS Base Score: 6.8  
  
Target Distribution on Internet: Low  
  
Exploitability: Functional Exploit  
Remediation Level: Workaround  
Report Confidence: Uncorroborated  
  
Vulnerability Impact: Attack  
Host Impact: SQL Injection.  
SecureScout Testcase ID:  
TC 17963  
Vulnerable Systems:  
WSPortal version 1.0  
Vulnerability Type:  
SQL injection allows malicious people to execute their own SQL scripts. This could be exploited to obtain sensitive data, modify database contents,  
sending anonymous emails to other recipients or acquire administrator's privileges.  
Vendor:  
Chris Harvey  
Vendor Status:  
The Vendor has been notified several times on many different email addresses last on 6 June 2007. The Vendor has not responded. There is no official fix  
at the release of this Security Advisory.  
Workaround:  
In the php.ini file set magic_quotes_gpc = On.  
Example:   
REQUEST:  
http://[TARGET]/[WSPORTAL-DIRECTORY]/content.php?page=0' UNION SELECT `username`,`password` FROM `users` WHERE '1  
REPLY:  
<legend><b><font color="#FF0000"> [SQL INJECTION RESULT: ADMIN NAME] </font></b>  
</legend> [SQL INJECTION RESULT: ADMIN PASSWORD] </fieldset></font>  
Credits:   
Jesper Jurcenoks  
Co-founder netVigilance, Inc  
www.netvigilance.com  
  
`