Date: Fri, 15 Oct 2004 21:52:59 +0200
From: Christoph Jeschke <[email protected]>
To: [email protected]Subject: [Powie's PSCRIPT Forum] Multiple SQL-Injection Vulnerabilities
Cc: [email protected]
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple SQL-Injection Vulnerabilities
in
Powie's PSCRIPT Forum
Summary
Product Powie's PSCRIPT Forum
Version <=3D 1.26
OS affected All with PHP and mySQL
Remote Exploit Yes
Risk Lvl Medium High
Vendor Thomas 'Powie' Erhardt
http://www.pscript.de/
Informed since 2002-02, workaround still available
See also Jens Liebchen
Sat Feb 16 2002 - 14:22:59 CST
<http://www.ppp-design.de/advisories_show.php?adv=3Dpforum_=
_mysql-injection_bug.txt>
Jens Liebchen discovered in February 2002 multiple SQL Injection=20
Vulnerabilities in the Pscript Forum. After more then 2.5 Years, the=20
Vulnerabilities are still existing. The Vendor didn't fix the=20
Vulnerabilities in a proper manner and ignored the Advisory completely.
I discovered SQL Injection Vulnerabilities with medium high security risks
in the following files:
* logincheck.php
* changepass.php
* edituser.php
Workaround
The Vulnerabilites are rated medium high, because most hoster activate=20
magic_quotes_gpc in the php.ini, so that g(et), p(ost) and c(ookie) data=20
are filtered. If magic_quotes_gpc is deactived, it is very easy to become=20
administrator or any other user. But many user are not allowed to change=20
php.ini, especially in mass hosting environments (where the Pscript Forum=20
is mostly used).
Kudos to Jens Liebchen,
Christoph Jeschke
=2D --=20
The sky about the port was the color of television,
tuned to a death channel. .o.
-- William Gibson, Neuromancer, ..o=20
Chiba City Blues ooo
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQIVAwUBQXAqnhTgMjDbDRRWAQJPHBAAtAzSs9JjbqaeI91EwDIMBxeIwf4/hNCd
GlRRdEcGciF3uCDfhFG7BwC5L9Y+ZfdlLfbqgd79ZokBUUrZhJYNEIbmFn0v5qs9
Ap5lIx0DyR+6BHYq94sV2jG9cEh2N3dOMMlQx7ozE0V7NZs/usRkjZRGeFMLNE6A
wdLoQK5+uNTFMWacV2IeoMojJahwvZh7mokrQbs92lguj+7n7luSWov/QsSJx0tD
//VTfKvW3ENSD2OrBsDj6ERiGSLyZaLsBMJNp+R6GJhqRfcy1zjyNC9slPfZH33A
0A/GCNOmNGwAWKEaQhzfpSGm78gPP/6tHvy0OxaVfSZah6pzMeUUh+IO/VHdGUW8
9JxYG1p1mxO2yfOVSI8ZQgI53pX1nzio3Tzw97RzE8DbKHiYxZTbZKo4fWNfI+iQ
touZclUdeeLqTo85PTHU4CBCJcttR8aNeckhQYtxrLzcjdr5ekePPof7MLCZi8xC
mzXgiPE0Y8p+hEvTdWYQJ0dfHkPqiO8s8y+13d4RtLFcE3ElnsLPnVhNZgeZZxzs
+91hcLv/Zty8J+Y51qUy0Am84Ca4hKk6fxFnRnrHPxxtIRO5lMeNS7NsDVvY/SXB
kkL9AHuFOYN2wQWMfgKCh1NBBfDmekH+CYaI9FsbJY4iTrG9EPZ9H/4zcNRcqpuG
/7buug6lImY=3D
=3DsgP1
=2D----END PGP SIGNATURE-----
