=====[BEGIN-SCL-REPORT]===== ________________________________________________________________________ Scovetta Labs Security Advisory Title: Multiple Vulnerabilities in PHP Gift Registry Status: Public Release Date: 2009-11-15 ________________________________________________________________________ Package: PHP Gift Registry Vendor: Ryan Walberg Priority: High Vulnerability: SQL Injection, Cross Site Scripting Affected Versions: ================== 1.6 (beta 1) Prior versions may be affected Background: (official description) =========== The PHP Gift Registry is a web-enabled gift registry intended for use among a circle of family members or friends. It is intended to fill the following purposes: * Permit the long-term storage of a list of items one desires, along with its price, where it can be bought, and (optionally) a URL where it can be viewed. * Enabled items to be "locked" by one shopper so that the same item is not bought by someone else. Description: ============ +--------------+--------+----------------------+-----------------------+ | File | Line # | Class | Variable | +--------------+--------+----------------------+-----------------------+ | users.php | 88 | SQL Injection | $_GET["userid"] | | users.php | 135 | SQL Injection | $_GET["userid"] | | families.php | 53 | SQL Injection | $_GET["familyid"] | | families.php | 55 | SQL Injection | $_GET["familyid"] | | families.php | 61 | SQL Injection | $_GET["familyid"] | | families.php | 84 | SQL Injection | $_GET["familyid"] | | families.php | 93 | SQL Injection | $_GET["familyid"] | | families.php | 87 | SQL Injection | $_GET["familyid"] | | families.php | 228 | SQL Injection | $_GET["familyid"] | | ranks.php | 60 | SQL Injection | $_GET["ranking"] | | ranks.php | 62 | SQL Injection | $_GET["ranking"] | | ranks.php | 68 | SQL Injection | $_GET["rankorder"] | | ranks.php | 70 | SQL Injection | $_GET["ranking"] | | ranks.php | 115 | SQL Injection | $_GET["ranking"] | +--------------+--------+----------------------+-----------------------+ Analysis: ========= Work-around: ============ No workaround is known. Upgrade to the latest version of the tool. Timeline ======== 2009-10-11 - Vulnerability discovered. 2009-10-11 - Vendor contacted. 2009-11-15 - Advisory released. Revision History ================ 2009-10-15: Initial Draft 2009-11-15: Public Release [1] Credits: ======== To the best of his knowledge, Michael Scovetta of Scovetta Labs discovered this vulnerability. References: ========== [1] http://www.scovetta.com/download/SCL-2009-002.txt Disclaimer ========== The content of this report is purely informational and meant only for the purpose of education and protection. Scovetta Labs and Michael Scovetta shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and demonstrations are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk. Copyright ========= (c) 2009 Michael Scovetta. Forwarding and publishing of this document is permitted providing the content between "[BEGIN-SCL-REPORT]" and "[END-SCL-REPORT]" marks remains unchanged. =====[END-SCL-REPORT]=====