by r0t,der4444,cembo,VietMafia

Wednesday, December 14, 2005

ezDatabase vuln.

ezDatabase vuln.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://www.ezdatabase.org/
affected version:2.1.2 and prior

Product Description:

A web based program for creating online databases, written in PHP and MySQL. An Admin CP allows you to create databases, fields, categories, users, user groups and customize your databases using powerful templates + settings. Visitors can access your databases via the Visitor File. Export a database, create search forms, view database statistics, approve visitor uploads, implement user registration, use language files, and add built-in extras to your databases such a comments, ratings, and automatic file download logging. 30 day money back guarantee.

Vuln. Description:

1. Input passed to the "p" parameter isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

2.Input passed to the "db_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

3.Input passed to the "cat_id" parameter isn't properly sanitised beforereturn to user. This can be exploited to
get full instalisations path.


examples:

Local file include.

/index.php?p=../Local file

SQL injection.

/index.php?p=getcat&db_id=[SQL]

Directory Travesal

/index.php?p=getcat&db_id=1&cat_id=[CODE]



Solution:
Edit the source code to ensure that input is properly sanitised.

9 Comments:

Anonymous Anonymous told...

what do you mean "[CODE]" in directory traversal for the cat_id problem? You use ".." or just any invalid value?

7:35 PM

 
Anonymous Anonymous told...

Examples are not provided.. That way script kiddies cannot use these vulns.
Im sure if your not a kiddy you can figure it out :)

8:11 PM

 
Anonymous Anonymous told...

I'm not a kiddy but I can't buy this software just to figure it out. r0t used a ".." in his include example so why not here? He is giving conflicting information.

8:17 PM

 
Blogger r0t told...

no information isnt in conflict , use and unsantized charter and you will get full instalisations path.
only XSS vuln are mostly provided with some primitive example , but it will no work to attack or to geet some sensitive information , only just a alert message.

9:18 PM

 
Anonymous Anonymous told...

ok r0t thanks... call it "path disclosure" when you cause the program to break and tell you its path.

say "directory traversal" when you use ".." to get files outside the web root

10:49 AM

 
Anonymous r0t told...

you are right my definition wasnt correct .

5:31 PM

 
Anonymous Anonymous told...

We all love you r0t, its okay if we have some small communication problems.

5:44 PM

 
Anonymous Anonymous told...

yes r0t, don't worry about the comments, they are here to help you and the rest of us too. terminology is a big problem in vuln research.

7:03 PM

 
Blogger r0t told...

thanks guys for understanding and support:)

8:56 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew