POWER PHLOGGER v.2.2.5 (username) SQL Injection<br>
<br>
Author: Attila Gerendi (Darkz)<br>
Date: June 25, 2007<br>
Package: POWER PHLOGGER (<a href="http://www.phpee.com/">http://www.phpee.com/</a>)<br>
Versions Affected: v.2.2.5 (Other versions may also be affected)<br>
Severity: SQL Injection<br>
<br>
Description:<br>
<br>
Input passed to the "username" parameter in "login.php" isn't properly sanitised before being used in<br>
a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and<br>
bypass login sequence.<br>
<br>
This SQL injection is "blind" so the user can not produce variations in the server input however using<br>
BENCHMARK it still can be used to retrieve sensitive data from the database and/or heavily load the server<br>
and produce DDOS attack.<br>
<br>
The vulnerable code piece is in "/include/get_userdata.php"<br>
<br>
/* assign the user's values */<br>
$sql = "SELECT * FROM ".PPHL_TBL_USERS." WHERE id='$id' OR username='$id'";<br>
$res = mysql_query($sql);<br>
<br>
the vulnerable parameter at this point is $id and it is set trough session variable $username from login.php<br>
without any sanitation.<br>
<br>
Status:<br>
The product web page say: "Active development of PowerPhlogger has been stopped as of August 2006.<br>
The announced successor Phlogger3 will not be released. Also, I am not able to provide you with support for<br>
any previous version.", so any user using this version should correct the bug herself.<br>
<br>
Solution:<br>
<br>
modify<br>
/* assign the user's values */<br>
$sql = "SELECT * FROM ".PPHL_TBL_USERS." WHERE id='$id' OR username='$id'";<br>
$res = mysql_query($sql);<br>
<br>
to<br>
<br>
/* assign the user's values */<br>
<span>$id = mysql_escape_string($id);</span><br>
$sql = "SELECT * FROM ".PPHL_TBL_USERS." WHERE id='$id' OR username='$id'";<br>
$res = mysql_query($sql);