Date: 14 Dec 2007 22:08:05 -0000
From: [email protected]
To: [email protected]Subject: PHP RPG - Sql Injection and Session Information Disclosure.
X-Virus-Scanned: antivirus-gw at tyumen.ru
By Michael Brooks
Vulneralbity: Sql Injection and Session Information Disclosure.
Homepage:http://sourceforge.net/projects/phprpg/
Verison affected 0.8.0
There are two flaws that affect this applcation. A nearly vinnella login bypass issues affects phprpg. If magic_qutoes_gpc=off then this will login an attacker as the administrator using this:
username:1'or 1=1 limit 1/*
password:1
Keep in mind that magic_quotes_gpc is being removed in php6!
The second flaw allows an attacker to steal any session registered by phprpg by navigating to this directory:
http://localhost/phpRPG-0.8.0/tmp/
This is because phprpg has manually changed the directory using session_save_path() which is called in init.php on line 49.
Peace
