PHPCoin Multiple SQL Injection Vulnerabilities
BID:13433
Info
PHPCoin Multiple SQL Injection Vulnerabilities
| Bugtraq ID: | 13433 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-1384 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 28 2005 12:00AM |
| Updated: | Jul 12 2009 02:06PM |
| Credit: | Discovery of these vulnerabilities is credited to dcrab. |
| Vulnerable: |
phpCOIN phpCOIN 1.2.1 b phpCOIN phpCOIN 1.2.1 phpCOIN phpCOIN 1.2 Francisco Burzi PHP-Nuke 7.6 |
| Not Vulnerable: | |
Discussion
PHPCoin Multiple SQL Injection Vulnerabilities
PHPCoin is reportedly affected by multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
PHPCoin is reportedly affected by multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
Exploit / POC
PHPCoin Multiple SQL Injection Vulnerabilities
No exploit is required.
The following proof of concepts are available:
http://www.example.com/index.php?title=Special%3aSearch&search=(SQL_INJECTION
http://www.example.com/login.php?w=user&o=login&phpcoinsessid=SQL_INJECTION'
http://www.example.com/mod.php?mod=siteinfo&id=SQL_INJECTION'&phpcoinsessid=8d4706204348394afece6b64db3d9b95
http://www.example.com/mod.php?mod=pages&mode=list&dtopic_id=SQL_INJECTION'&phpcoinsessid=fa7905a749dbdc698838930de0f99f4b
http://www.example.com/mod.php?mod=pages&mode=list&dcat_id=SQL_INJECTION'&phpcoinsessid=fa7905a749dbdc698838930de0f99f4b
No exploit is required.
The following proof of concepts are available:
http://www.example.com/index.php?title=Special%3aSearch&search=(SQL_INJECTION
http://www.example.com/login.php?w=user&o=login&phpcoinsessid=SQL_INJECTION'
http://www.example.com/mod.php?mod=siteinfo&id=SQL_INJECTION'&phpcoinsessid=8d4706204348394afece6b64db3d9b95
http://www.example.com/mod.php?mod=pages&mode=list&dtopic_id=SQL_INJECTION'&phpcoinsessid=fa7905a749dbdc698838930de0f99f4b
http://www.example.com/mod.php?mod=pages&mode=list&dcat_id=SQL_INJECTION'&phpcoinsessid=fa7905a749dbdc698838930de0f99f4b
Solution / Fix
PHPCoin Multiple SQL Injection Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
PHPCoin Multiple SQL Injection Vulnerabilities
References:
References:
- phpCOIN Home Page (phpCOIN)
- Multiple Sql injections in phpCoin v1.2.2 and below (dcrab
- phpnuke 7.6 Multiple vulnerabilities in Downloads Module cXIb8O3.13 (Maksymilian Arciemowicz