Menu
▾
▴
[Phpay-newsletter] Security Bug
|
From: Andreas K. <an...@ka...> - 2003-09-26 20:31:19
|
Detected by Christian:
The vulnerable file is uupd.inc.php, which
carries out following query:
$user_result = db_query("select * from user where ID='$user_ID'") or db_die();
pay.php uses following output to create the edit formular:
<input type=hidden name=user_ID value=\"$user_row[0]\">. S
imply changing the value in the html file allows to update whatever user
profile you desire to change, including the account's password by creating a
request with a changed user_id.
thus it's possible to edit every user profile and log in as the new user.
all recent versions are affected.
This information is right. Under
http://sourceforge.net/tracker/index.php?func=detail&aid=813260&group_id=39285&atid=424796
and in CVS is a fixed uupd.inc.php.
Before line with '$user_result ...' an include("./lib.inc.php"); is added.
--
Have a lot of fun and success with phPay,
Andreas Kansok
JavaScript: http://www.amazon.de/exec/obidos/ASIN/3827319730/kansokde-21
Shopsystem NEU! Version 1.3: http://demo.shopwiesel.de/admin/
|
