[Phpay-newsletter] Security Bug

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Detected by Christian:

The vulnerable file is uupd.inc.php, which
carries out following query: 
$user_result = db_query("select * from user where ID='$user_ID'") or db_die();
pay.php uses following output to create the edit formular: 
<input type=hidden name=user_ID value=\"$user_row[0]\">. S
imply changing the value in the html file allows to update whatever user 
profile you desire to change, including the account's password by creating a
request with a changed user_id.

thus it's possible to edit every user profile and log in as the new user.
all recent versions are affected.

This information is right. Under 
http://sourceforge.net/tracker/index.php?func=detail&aid=813260&group_id=39285&atid=424796
 and in CVS is a fixed uupd.inc.php.

Before line with '$user_result ...' an include("./lib.inc.php"); is added.

-- 
Have a lot of fun and success with phPay,
Andreas Kansok
JavaScript: http://www.amazon.de/exec/obidos/ASIN/3827319730/kansokde-21
Shopsystem NEU! Version 1.3: http://demo.shopwiesel.de/admin/