SQL Injection and PHP Code Insertion in Pro Publish
Summary
- Vulnerability
- SQL Injection and PHP Code Insertion in Pro Publish
- Discovered
- 2006.04.30
- Last Update
- 2006.05.10 Exploitation code published
- ID
- EV0130
- CVE
- CVE-2006-2128 CVE-2006-2129
- Risk Level
- high
- Type
- Multiple Vulnerabilities
- Status
- Unpatched. No reply from developer(s)
- Vendor
- n/a
- Vulnerable Software
- Pro Publish (http://www.deltascripts.com/download/)
- Version
- 2.0
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Multiple Vulnerabilities found in Pro Publish (http://www.deltascripts.com/download/) script.
1. SQL Injection.
Vulnerable scripts: admin/login.php cat.php search.php art.php
Parameters email(login.php), password(login.php), find_str(search.php), artid(art.php), catid(cat.php) are not properly sanitized before being used in SQL query. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.
2. PHP code insertion.
An intruder can get login and password of administration area using SQL Injection.
Administrator has an ability to edit some settings. Those values don't pass any sanitation before being saved in set_inc.php script. This can be used to make PHP code insertion.
System access is possible.
PoC/Exploit
1. SQL Injection Example.
URL: http://[host]/cat.php?catid=999 or 1/*
URL: http://[host]/index.php
Searchengine: %' or 1/*
2. PHP code insertion example.
URL: http://[host]/admin/setup.php
Webmaster email: "; [PHP_code] $aaa="
Solution.
Solution for "SQL Injection and PHP Code Insertion in Pro Publish" is not available. Check vendor's website for updates.