Home / os / winmobile

PHP Planner 0.4 SQL Injection

Posted on 20 July 2016

PHP Planner SQL Injection Vulnerability , Discovered by N_A , N_A[at]tutanota.com ================================================================================= Description =========== This is a basic PHP Calendar with lots of features and possiblities. Uses mySQL as backend and is fitted with an account based system https://sourceforge.net/projects/phpplanner Vulnerability ============= An SQL Injection vulnerability is present within the register.php file of the package which results in arbitary command execution. register.php, snippet of vulnerable code: ========================================= if (isset($_POST['Submit'], $_POST['email'], $_POST['username'], $_POST['password'], $_POST['password2'], $_POST['name']) && IsEmailValid($_POST['email'])) { A A A A A A $SQL = mysql_query("SELECT * FROM cal_users WHERE username = '". $_POST['username'] ."' OR password = '". MD5($_POST['password']) ."' OR email = '". $_POST['email'] ."'"); As we can see the 'username','password' and 'email' variables are passed unchecked into the SQL query via the POST method. email ==> N_A[at]tutanota.com

 

TOP