[VIM] AVTutorial 1.0 changePW.php vulnerabilities

Heinbockel, Bill heinbockel at mitre.org
Tue Jul 10 16:50:24 UTC 2007


There are (at least) two different issues recently
reported in changePW.php in AVTutorial 1.0:

(1) Password change for arbitrary users [CVE-2007-3630]
http://www.milw0rm.com/exploits/4163

(2) SQL injection - in the id and userid parameters
http://secunia.com/advisories/25969


Now, the code from changePW.php:

> $id = $_GET['userid'];
> $oldpassword = $_GET['id'];
> $password = $_POST['password'];
> $password = stripslashes($password);
> $password = md5($password);
> $sql = mysql_query("UPDATE ls_users SET password='$password' WHERE
id='$id' AND password='$oldpassword'")
>     or die (mysql_error());
> echo "Password has been changed";



William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615


More information about the VIM mailing list