Detections
Analytics

RTH login.php uname Parameter SQL Injection

medium Nessus Plugin ID 33860

Language:

Synopsis

The remote web server contains a PHP script that is prone to a SQL injection attack.

Description

The remote host is running RTH, a web-based software testing framework written in PHP.

The version of RTH installed on the remote host fails to sanitize input to the 'uname' array parameter of the 'login.php' script before using it in a database query. Provided PHP's 'magic_quotes_gpc' setting is disabled, an attacker can leverage this issue to manipulate database queries and gain administrative access to the application or launch other sorts of SQL injection attacks against the affected host.

Note that there is also reportedly an information disclosure issue associated with similar versions of RTH that could be used to download arbitrary files from the remote host without authentication. Nessus has not, though, checked for those other issues.

Solution

Upgrade to RTH version 1.7.0 or later.

See Also

http://www.nessus.org/u?75494405

http://sourceforge.net/project/shownotes.php?release_id=618383

Plugin Details

Severity: Medium

ID: 33860

File Name: rth_uname_sql_injection.nasl

Version: 1.16

Type: remote

Family: CGI abuses

Published: 8/11/2008

Updated: 4/11/2022

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus

Vulnerability Information

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Reference Information

BID: 30603

SECUNIA: 31414