SQL Injection and PHP Code Insertion in Pro Publish

Summary

Vulnerability
SQL Injection and PHP Code Insertion in Pro Publish
Discovered
2006.04.30
Last Update
2006.05.10 Exploitation code published
ID
EV0130
CVE
CVE-2006-2128 CVE-2006-2129
Risk Level
high
Type
Multiple Vulnerabilities
Status
Unpatched. No reply from developer(s)
Vendor
n/a
Vulnerable Software
Pro Publish (http://www.deltascripts.com/download/)
Version
2.0
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in Pro Publish (http://www.deltascripts.com/download/) script.

1. SQL Injection.

Vulnerable scripts: admin/login.php cat.php search.php art.php

Parameters email(login.php), password(login.php), find_str(search.php), artid(art.php), catid(cat.php) are not properly sanitized before being used in SQL query. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.

2. PHP code insertion.

An intruder can get login and password of administration area using SQL Injection.

Administrator has an ability to edit some settings. Those values don't pass any sanitation before being saved in set_inc.php script. This can be used to make PHP code insertion.

System access is possible.

PoC/Exploit

1. SQL Injection Example.

URL: http://[host]/cat.php?catid=999 or 1/*

URL: http://[host]/index.php

Searchengine: %' or 1/*

2. PHP code insertion example.

URL: http://[host]/admin/setup.php

Webmaster email: "; [PHP_code] $aaa="

Solution.

Solution for "SQL Injection and PHP Code Insertion in Pro Publish" is not available. Check vendor's website for updates.