ezDatabase vuln.
ezDatabase vuln.
Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://www.ezdatabase.org/
affected version:2.1.2 and prior
Product Description:
A web based program for creating online databases, written in PHP and MySQL. An Admin CP allows you to create databases, fields, categories, users, user groups and customize your databases using powerful templates + settings. Visitors can access your databases via the Visitor File. Export a database, create search forms, view database statistics, approve visitor uploads, implement user registration, use language files, and add built-in extras to your databases such a comments, ratings, and automatic file download logging. 30 day money back guarantee.
Vuln. Description:
1. Input passed to the "p" parameter isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.
2.Input passed to the "db_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
3.Input passed to the "cat_id" parameter isn't properly sanitised beforereturn to user. This can be exploited to
get full instalisations path.
examples:
Local file include.
/index.php?p=../Local file
SQL injection.
/index.php?p=getcat&db_id=[SQL]
Directory Travesal
/index.php?p=getcat&db_id=1&cat_id=[CODE]
Solution:
Edit the source code to ensure that input is properly sanitised.
r0t at 18:21
9 Comments:
what do you mean "[CODE]" in directory traversal for the cat_id problem? You use ".." or just any invalid value?
7:35 PM
Examples are not provided.. That way script kiddies cannot use these vulns.
Im sure if your not a kiddy you can figure it out :)
8:11 PM
I'm not a kiddy but I can't buy this software just to figure it out. r0t used a ".." in his include example so why not here? He is giving conflicting information.
8:17 PM
no information isnt in conflict , use and unsantized charter and you will get full instalisations path.
only XSS vuln are mostly provided with some primitive example , but it will no work to attack or to geet some sensitive information , only just a alert message.
9:18 PM
ok r0t thanks... call it "path disclosure" when you cause the program to break and tell you its path.
say "directory traversal" when you use ".." to get files outside the web root
10:49 AM
you are right my definition wasnt correct .
5:31 PM
We all love you r0t, its okay if we have some small communication problems.
5:44 PM
yes r0t, don't worry about the comments, they are here to help you and the rest of us too. terminology is a big problem in vuln research.
7:03 PM
thanks guys for understanding and support:)
8:56 PM
Post a Comment
<< Home