Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

EV0058.txt

Related Vulnerabilities: CVE-2006-0602   CVE-2006-0603   CVE-2006-0604  
Publish Date: 13 Feb 2006
Author: Aliaksandr Hartsuyeu, evuln.com
Source 
                							

                New eVuln Advisory:
phphg Guestbook Multiple Vulnerabilities
http://evuln.com/vulns/58/summary.html

--------------------Summary----------------
eVuln ID: EV0058
CVE: CVE-2006-0602 CVE-2006-0603 CVE-2006-0604
Vendor: Hinton Design
Vendor's Web Site: http://www.hintondesign.org
Software: phphg Guestbook
Sowtware's Web Site: http://www.hintondesign.org/downloads/view_cat.php?cat_id=45
Versions: 1.2
Critical Level: Moderate
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched. No reply from developer(s)
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

-----------------Description---------------
1. Authentication Bypass
Vulnerable script: check.php

There are two ways to bypass authentication:

a) SQL Injection
Variable $HTTP_POST_VARS[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off

b) Cookie based authentication
check.php script dont make password comparisson when identifying user by cookies


2. Multiple Cross-Site Scripting
Vulnerable script: signed.php
Variables $HTTP_POST_VARS[location] $HTTP_POST_VARS[website] $HTTP_POST_VARS[message] are not properly sanitized. This can be used to post arbitrary html or script code.


3. SQL Injections in administrator control panel
Vulnerable scripts:
admin/edit_smilie.php
admin/add_theme.php
admin/ban_ip.php
admin/add_lang
admin/edit_filter

Variable $HTTP_GET_VARS[id] variable isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off

--------------Exploit----------------------
Available at: http://evuln.com/vulns/58/exploit.html

1. Authentication Bypass

a) SQL Injection
url: http://host/hg/admin.php
Username: ' or 1/*
Password: any

b) Cookie based authentication
Cookie: loged=yes
Cookie: username=admin
Cookie: user_level=1


2. Cross-Site Scripting Example.
Url: http://host/hg/sign.php
Location: <XSS>
Website: javascript:alert(123)
Message: <XSS>


3. SQL Injection Example:
http://host/hg/admin/edit_smilie.php? id=333'% 20union%20select% 201,2,3,4/*


--------------Solution---------------------
No Patch available.

--------------Credit-----------------------
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started