[VIM] PwsPHP ugly mess
Steven M. Christey
coley at mitre.org
Tue Feb 28 20:48:41 EST 2006
I'm drained by the whole experience, so I'll let CVE's internal
analysis fields speak for themselves.
Summary: multiple PwsPHP issues seem to have been disclosed and munged
together under one roof. This appears to stem from multiple
grep-and-gripe reports by papipsycho, but this cannot be proven due to
non-public raw source information in the associated BID, which seems
to combine 2 separate issues, although one of them doesn't seem to
have an obvious attack vector based on casual source inspection.
Hooray for the provenance problem!
Why oh why did I dare to ask myself the wrong question at the wrong
P.S. On the post-proactive vendor front, looks like the vendor is
asking for security auditors for PwsPHP :
SQL injection vulnerability in index.php in PwsPHP 1.2.3 allows remote
attackers to execute arbitrary SQL commands via the id parameter,
possibly in message.php in the espace_membre module. NOTE: the
provenance of this information is unknown; the details are obtained
solely from third party information.
ACCURACY: the exploit tab in BID:16567 includes the demonstration URL
"index.php?mod=espace_membre&ac=message&id=999999[SQL]". Source code
inspection shows that index.php uses the "mod" and "ac" parameters to
construct an include statement for modules/espace_membre/message.php.
The use of an 'id' parameter could not be found using casual
ACCURACY: the fully functioning exploit code that is linked in
BID:16567 is for profil.php/aff_news_form, which appears to be a
SQL injection vulnerability in profil.php in PwsPHP 1.2.3, and
possibly earlier versions, allows remote attackers to execute
arbitrary SQL commands via the aff_news_form parameter, a different
vulnerability than CVE-2005-1509.
ACCURACY: the exploit tab in BID:16567 includes an example URL that
seems to involve espace_membre, but that may be for a different issue.
The actual functioning program included in BID:16567 is for this
ACCURACY: A source code review of profil.php in 1.2.3 shows the use of
aff_news_form in an input form, but the input has a maximum length
specifier, possibly indicating attempts at client-side restrictions;.
On resubmission to the same profile.php, $aff_news_form is directly
inserted into an SQL query, as called by the reqmysql function, which
primarily calls mysql_query().
Reference: BUGTRAQ:20060225 PwsPHP Injection SQL on Index.php
Reference: BUGTRAQ:20060226 Re: PwsPHP Injection SQL on Index.php
SQL injection vulnerability in the sondages module in index.php in
PwsPHP 1.2.3 allows remote attackers to execute arbitrary SQL commands
via the id parameter to index.php.
ACKNOWLEDGEMENT: The PwsPHP forum with the fix is in another language,
but source inspection of the suggested patch shows that
modules/sondages/index.php was fixed on Feb 27 (2 days after
disclosure) and cleanses the id parameter using intval().
More information about the VIM