[VIM] AVTutorial 1.0 changePW.php vulnerabilities
Heinbockel, Bill
heinbockel at mitre.org
Tue Jul 10 16:50:24 UTC 2007
There are (at least) two different issues recently
reported in changePW.php in AVTutorial 1.0:
(1) Password change for arbitrary users [CVE-2007-3630]
http://www.milw0rm.com/exploits/4163
(2) SQL injection - in the id and userid parameters
http://secunia.com/advisories/25969
Now, the code from changePW.php:
> $id = $_GET['userid'];
> $oldpassword = $_GET['id'];
> $password = $_POST['password'];
> $password = stripslashes($password);
> $password = md5($password);
> $sql = mysql_query("UPDATE ls_users SET password='$password' WHERE
id='$id' AND password='$oldpassword'")
> or die (mysql_error());
> echo "Password has been changed";
William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615
More information about the VIM
mailing list