SNS Vulnerability

PHP-Arena PaFaq Multiple SQL Injection Vulnerabilities

Description

Several SQL Injection vulnerabilities were identified in PaFaq, which may be exploited by attackers to compromise a system. These flaws reside in the "question.php", "answer.php", "search.php" and "comment.php" files, which could be exploited to compromise a vulnerable system using specially crafted SQL commands.
http://vulnerable/index.php?act=Question&id=1&limit=10&orderby=q_id&order=DESC&offset='
http://vulnerable/index.php?act=Question&id=1&orderby=q_id&order=DESC&limit='
http://vulnerable/index.php?act=Question&id=1&orderby=q_id&order='&limit=10
http://vulnerable/index.php?act=Question&id=1&orderby='&order=DESC&limit=10
http://vulnerable/index.php?act=Answer&cid=1&id=1&offset='
http://vulnerable/index.php?act=Search&code=01&search_item='
http://vulnerable/index.php?act=Speak&code=05&poster=1&name=2&question=3&email=4&cat_id='
http://vulnerable/index.php?act=Speak&code=02&cid='&id=1&poster=1&name=2&answer=3&email=4
http://vulnerable/index.php?act=Speak&code=02&cid=1&id='&poster=1&name=2&answer=3&email=4

Vulnerable Products

Vulnerable Software:
PHP-Arena PaFaq Beta 4

Solution

K-OTik Security is not aware of any official supplied patch for this issue.

CVE

References

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
SQL injection Prevention - GET : suspicious OR statement in URL	3.2.0
SQL injection Prevention - POST : suspicious SELECT statement in data	3.2.0
SQL injection Prevention - GET : suspicious combination of 'OR' or 'AND' statements in URL	3.2.0
SQL injection Prevention - POST : possible version probing in data	3.2.0
SQL injection Prevention - GET : suspicious CREATE statement in URL	3.2.0
SQL injection Prevention - GET : suspicious OPENROWSET statement in URL	3.2.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data	3.2.0
SQL injection Prevention - POST : suspicious CREATE statement in data	3.2.0
SQL injection Prevention - POST : suspicious UPDATE statement in data	3.2.0
SQL injection Prevention - POST : suspicious UNION statement in data	3.2.0
SQL injection Prevention - GET : suspicious OPENQUERY statement in URL	3.2.0
SQL injection Prevention - GET : suspicious shutdown statement in URL	3.2.0
SQL injection Prevention - GET : suspicious UNION SELECT statement in URL	3.2.0
SQL injection Prevention - POST : suspicious DROP statement in data	3.2.0
SQL injection Prevention - GET : possible database version probing	3.2.0
SQL injection Prevention - POST : suspicious INSERT statement in data	3.2.0
SQL injection Prevention - POST : suspicious OR statement in data	3.2.0
SQL injection Prevention - GET : suspicious UPDATE SET statement in URL	3.2.0
SQL injection Prevention - POST : suspicious EXEC statement in data	3.2.0
SQL injection Prevention - GET : suspicious SELECT statement in URL	3.2.0
SQL injection Prevention - GET : suspicious INSERT statement in URL	3.2.0
SQL injection Prevention - GET : suspicious DROP statement in URL	3.2.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data	3.2.0
SQL injection Prevention - GET : suspicious EXEC statement in URL	3.2.0
SQL injection Prevention - POST : suspicious HAVING statement in data	3.2.0

Risk level

High

Vulnerability First Public Report Date

2005-02-18

Target Type

Server

Possible exploit

Local & Remote