'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670)



'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670)
Mark Stanislav - mark.stanislav@xxxxxxxxx


I. DESCRIPTION
---------------------------------------
A vulnerability exists in admin/index.php that allows for an
unauthenticated user to export the entire application database by
accessing the 'Database Backup' method without restriction. Due to the
way sessions are handled, an attacker can then simply pass the
username and password-hash via cookies to assume the administrative
role without ever knowing the clear-text version of the password.


II. TESTED VERSION
---------------------------------------
1.9.4


III. PoC EXPLOIT
---------------------------------------
http://localhost/phpGradeBook/admin/index.php?action=SaveSQL


IV. SOLUTION
---------------------------------------
Upgrade to 1.9.5 or above.


V. REFERENCES
---------------------------------------
http://sourceforge.net/projects/php-gradebook/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1670


VI. TIMELINE
---------------------------------------
02/29/2012 - Initial vendor disclosure
02/29/2012 - Vendor response and commitment to fix
03/01/2012 - Vendor patched and released an updated version
03/22/2012 - Public disclosure



Relevant Pages

  • [Full-disclosure] PHP Grade Book Unauthenticated SQL Database Export (CVE-2012-1670)
    ... 'PHP Grade Book' Unauthenticated SQL Database Export ... 02/29/2012 - Initial vendor disclosure ... 02/29/2012 - Vendor response and commitment to fix ...
    (Full-Disclosure)
  • Re: Poly Couples
    ... If you want to claim that OO is the consolution prize for lame database ... there is a metamodel which describes the hierarchy. ... Metamodel is stored in SQL, however, the data is stored in non ... vendor, and the structure is different than the one you use originally. ...
    (comp.object)
  • Re: Poly Couples
    ... Essentially - different versions for different clients. ... insist that you use their existing database which is from a different ... vendor, and the structure is different than the one you use originally. ... characters would mark variable insertion place-holders in the SQL. ...
    (comp.object)
  • Re: Poly Couples
    ... business software" example mentioned in this thread. ... But the communication mechanism with the database remains the same. ... That doesn't mean that other languages (such as sql, ... vendor, and the structure is different than the one you use originally. ...
    (comp.object)
  • Re: Need expert coding help with a debugging issue.
    ... If you are declaring by default a recordset or database as a variant you may not get the hoped-for result. ... even if it works to jump to End With (at LocationEnd), ... code that tells the user exactly which bin location he or she should put the ... The bins are sorted by vendor. ...
    (microsoft.public.access.formscoding)