Bugtraq mailing list archives
NPDS <= 5.10 - Multiple SQL injections
From: aeroxteam_PLEASEDONTSPAMUS () gmail com
Date: 4 May 2007 21:01:26 -0000
[|Description:|] Security holes were found in NPDS 5.10. N°1: Sql Injection in cookies (File Mainfile.php lines 655 to 691). No check is carried out on nicknames or Id which can allow an attacker to modify a SQL request so as to obtain data. N°2: SQL Injection due to a bad use of "X_FORWARDED_FOR" (file Mainfile.php lines 88 to 110). NPDS uses the HTTP header "X_FORWARDED_FOR" which normally contains the IP adress of a person using a non anonymous proxy. This Ip address is used in a SQL resquest without appropriate filtering, and an attacker can define "X_FORWARDED_FOR" insering malicious SQL code. [|Exploit:|] http://www.aeroxteam.fr/exploit-NPDS-5.10.txt [|Solution:|] N°1: File mainfile.php, add after line 665: $cookie[0] = inval($cookie[0); $cookie[1] = addslashes($cookie[1]); $cookie[2] = addslashes($cookie[2]); N°2: Replace fonction "getip" (mainfile.php) by: function getip() { return $_SERVER['REMOTE_ADDR']; } [|Credits:|] Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com) for AeroX (AeroXteam.fr) [|Gr33tz:|] Gr33tz: Darkfig, Spamm, Math², Barma, NeoMorphS, Snake91, Kad, Nitr0, BlastKiller, Alkino And everybody from #aerox () irc epiknet org
Current thread:
- NPDS <= 5.10 - Multiple SQL injections aeroxteam_PLEASEDONTSPAMUS (May 04)
- <Possible follow-ups>
- Re: NPDS <= 5.10 - Multiple SQL injections aeroxteam_PLEASEDONTSPAMUS (May 05)