Recent Unauthorized Data Modification vulnerabilities
Here is short summary of recent Unauthorized Data Modification vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.
Unauthorized Data Modification in Advanced Poll.
Description.
Vulnerable script: include/class_poll.php
UserAgent value from header of HTTP-query is not properly sanitized before being used in SQL query. This can be used to make some SQL queries by injecting arbitrary SQL code.
Condition: magic_quotes_gpc = off
Vulnerable Script: include/class_poll.php
This attack would lead the coordinates to be spoofed and taken over by illegal Proxies. This is done, by checking if HTTP_X_FORWARDED_FOR exists and using this IP from HTTP_X_FORWARDED_FOR to identify unique voted person.
The attacker can send fake HTTP_X_FORWARDED_FOR values in http-headers as many as the attacker wants with different IP in HTTP_X_FORWARDED_FOR.
Exploit.
Need to be added to header of HTTP-query when answering a question:
User-Agent: '+[sql_expression]
Need to be added to header of HTTP-query when answering a question:
X-Forwarded-For: [any IP]
Solution
Solution is not available.
Other details >>Unauthorized Data Modification in Magic Downloads.
Description.
Unauthorized Data Modification
Vulnerable script: settings.php
Variables $action $passwd $admin_password $new_passwd $confirm_passwd are not initialized and their values can be replaced by user-defined data. This can be used to make unauthorized modifications in config.php
Condition: register_globals = ON
Exploit.
Unauthorized Data Modification Example
http://host/path/settings.php?action=change&passwd=1&admin_password=1&new_passwd=new&confirm_passwd=new
Solution
Solution is not available.
Other details >>