[VIM] Provable vendor ACK for gcards issues

Steven M. Christey coley at mitre.org
Fri Apr 14 23:31:10 EDT 2006 

hey OSVDB - look what happens when I accidentally click on one of your
generic vendor URLs :)

Another rgod production - CVE-2006-1348, CVE-2006-1347, CVE-2006-1346

http://www.gregphoto.net/gcards/index.php

The note for Version 1.46 says "Fixed several critical security
issues."

This is not sufficient proof for CVE purposes, so let's do a diff
between 1.46 and 1.31 (note - < and > may be switched).

========================================================================

CVE-2006-1347 - SQL injection - admin/loginfunction.php

37,39c37
<               $pass = md5($userpass);
<               $uname = checkAddSlashes($username);
<               $sqlstmt = "SELECT role FROM ".$tablePrefix."cardusers
WHERE username='$uname' AND userpass='$pass'";
---
>               $sqlstmt = "SELECT role FROM ".$tablePrefix."cardusers
>               WHERE username='$username' AND
>               userpass=password('$userpass')";


========================================================================

CVE-2006-1346 - Directory traversal... love the attitude - "NO!"

diff `find . -name setLang.php`

2,6c2,4
<       if(isset($_REQUEST['lang'])) exit("NO!");
<       if ($page->languageredirect == $_SERVER['PHP_SELF']) {
<               if (isset($_GET['setLang']) &&
array_key_exists($_GET['setLang'],$lang)) {
<                       $_SESSION['setLang'] = $_GET['setLang'];
<               }
---
>       if ($page->languageredirect == $_SERVER['PHP_SELF'])
>       {
>               if (isset($_GET['setLang'])) $_SESSION['setLang'] =
>       $_GET['setLang'];
8,16c6,7
<
<       $langFile =
>       $page->relpath.'inc/lang/'.$lang[$_SESSION['setLang']]['file'];
<
<       if (file_exists($langFile)) {
<               include_once($langFile);
<       } else {
<               echo "Could not find language file $langFile";
<       }
< ?>
\ No newline at end of file

========================================================================

XSS - ummmmmmm


The fix was not immediately identifiable based on source code
inspection.  A closer look suggests that it might be resultant XSS
from the directory traversal issue, but this is not certain.

- Steve

More information about the VIM mailing list