[原文]SQL injection vulnerability in (1) people.php, (2) track.php, (3) edit.php, (4) document.php, (5) census.php, (6) passthru.php and possibly other php files in phpMyFamily 1.4.0 allows remote attackers to execute arbitrary SQL commands, as demonstrated via (1) the person parameter to people.php or (2) the Login field.
phpmyfamily people.php person Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
phpmyfamily contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'person' parameter in the 'people.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.
Upgrade to version 1.4.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Discovery of this vulnerability is credited to kreon <firstname.lastname@example.org>.
phpmyfamily phpmyfamily 1.4
phpmyfamily is reportedly affected by multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
No exploit is required.
The following proof of concept is available: http://www.example.com/[myphpfamily]/people.php?person=00002'%20UNION%20SELECT%20NULL,password,NULL,username,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20family_users%20%20WHERE%20admin='Y'%20LIMIT%201,1/*
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: email@example.com <mailto:firstname.lastname@example.org>.