Unauthorized Data Modification in Advanced Poll
Summary
- Vulnerability
- Unauthorized Data Modification in Advanced Poll
- Discovered
- 2006.05.01
- Last Update
- 2006.05.11 Exploitation code published
- ID
- EV0131
- CVE
- CVE-2006-2130 CVE-2006-2131
- Risk Level
- medium
- Type
- Multiple Vulnerabilities
- Status
- Unpatched. No reply from developer(s)
- Vendor
- n/a
- Vulnerable Software
- Advanced Poll (http://proxy2.de/scripts.php)
- Version
- 2.0.4
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com) & Shyaam Sundhar(eVuln.com)
Description
Multiple Vulnerabilities found in Advanced Poll (http://proxy2.de/scripts.php) script.
1. SQL Injection.
Vulnerable script: include/class_poll.php
UserAgent value from header of HTTP-query is not properly sanitized before being used in SQL query. This can be used to make some SQL queries by injecting arbitrary SQL code.
Condition: magic_quotes_gpc = off
2. Unauthorized Data Modification.
Vulnerable Script: include/class_poll.php
This attack would lead the coordinates to be spoofed and taken over by illegal Proxies. This is done, by checking if HTTP_X_FORWARDED_FOR exists and using this IP from HTTP_X_FORWARDED_FOR to identify unique voted person.
The attacker can send fake HTTP_X_FORWARDED_FOR values in http-headers as many as the attacker wants with different IP in HTTP_X_FORWARDED_FOR.
PoC/Exploit
1. SQL Injection Example.
Need to be added to header of HTTP-query when answering a question:
User-Agent: '+[sql_expression]
2. Unauthorized Data Modification Example
Need to be added to header of HTTP-query when answering a question:
X-Forwarded-For: [any IP]
Solution.
Solution for "Unauthorized Data Modification in Advanced Poll" is not available. Check vendor's website for updates.