CVE-2013-0135
Description
Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) addressbook/register/edit_user_save.php; the email parameter to (4) addressbook/register/edit_user_save.php, (5) addressbook/register/reset_password.php, (6) addressbook/register/reset_password_save.php, or (7) addressbook/register/user_add_save.php; the username parameter to (8) addressbook/register/checklogin.php or (9) addressbook/register/reset_password_save.php; the (10) lastname, (11) firstname, (12) phone, (13) permissions, or (14) notes parameter to addressbook/register/edit_user_save.php; the (15) q parameter to addressbook/register/admin_index.php; the (16) site parameter to addressbook/register/linktick.php; the (17) password parameter to addressbook/register/reset_password.php; the (18) password_hint parameter to addressbook/register/reset_password_save.php; the (19) var parameter to addressbook/register/traffic.php; or a (20) BasicLogin cookie to addressbook/register/router.php.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
PHP Address Book - '/addressbook/register/admin_index.php?q' SQL Injection
PHP Address Book - '/addressbook/register/checklogin.php?Username' SQL Injection
PHP Address Book - '/addressbook/register/delete_user.php?id' SQL Injection
PHP Address Book - '/addressbook/register/edit_user.php?id' SQL Injection
PHP Address Book - '/addressbook/register/edit_user_save.php' Multiple SQL Injections
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/edit_user_save.php?id={insert}&lastname={insert}&firstname={insert}&phone={insert}&email={insert}&permissions={insert}¬es={insert} PHP Address Book - '/addressbook/register/linktick.php?site' SQL Injection
PHP Address Book - '/addressbook/register/reset_password.php' Multiple SQL Injections
PHP Address Book - '/addressbook/register/reset_password_save.php' Multiple SQL Injections
PHP Address Book - '/addressbook/register/router.php?BasicLogin' Cookie SQL Injection
PHP Address Book - '/addressbook/register/user_add_save.php?email' SQL Injection
PHP Address Book - '/addressbook/register/traffic.php?var' SQL Injection
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| chatelao | php_address_book | 8.2.5 | |
References
- http://packetstormsecurity.com/files/129789/PHP-Address-Book-Cross-Site-Scripting-SQL-Injection.html
- http://www.acadion.nl/labs/advisory/20130203-phpaddressbook.html
- http://www.kb.cert.org/vuls/id/183692
- https://exchange.xforce.ibmcloud.com/vulnerabilities/99623
- http://packetstormsecurity.com/files/129789/PHP-Address-Book-Cross-Site-Scripting-SQL-Injection.html
- http://www.acadion.nl/labs/advisory/20130203-phpaddressbook.html
- http://www.kb.cert.org/vuls/id/183692
- https://exchange.xforce.ibmcloud.com/vulnerabilities/99623
CWEs
CWE-89
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.