| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Mar 2012 10:21:28 -0400 From: Mark Stanislav <mark.stanislav@...il.com> To: bugtraq@...urityfocus.com Subject: 'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670) 'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670) Mark Stanislav - mark.stanislav@...il.com I. DESCRIPTION --------------------------------------- A vulnerability exists in admin/index.php that allows for an unauthenticated user to export the entire application database by accessing the 'Database Backup' method without restriction. Due to the way sessions are handled, an attacker can then simply pass the username and password-hash via cookies to assume the administrative role without ever knowing the clear-text version of the password. II. TESTED VERSION --------------------------------------- 1.9.4 III. PoC EXPLOIT --------------------------------------- http://localhost/phpGradeBook/admin/index.php?action=SaveSQL IV. SOLUTION --------------------------------------- Upgrade to 1.9.5 or above. V. REFERENCES --------------------------------------- http://sourceforge.net/projects/php-gradebook/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1670 VI. TIMELINE --------------------------------------- 02/29/2012 - Initial vendor disclosure 02/29/2012 - Vendor response and commitment to fix 03/01/2012 - Vendor patched and released an updated version 03/22/2012 - Public disclosure
Powered by blists - more mailing lists