GulfTech Computers - Professional Computer Services  
Additional Links
-> Dicussion Forum
-> Encryption Tools
-> Information Tools
-> Net Info Tools
-> Latest Advisories
-> Latest Vulns
-> Latest Win Software
-> Latest Nix Software
-> Security News
-> Security Press
Recent News

GulfTech Computers strives to beat the price(s) of any other business around. Check with us first as it just may save you some time and money. And who doesn't want to save money? Please contact us with any questions or inquiries.

Latest GulfTech Releases

SubScan v1.2 Scans a domain for DNS records and SubDomains. Very stealthy, and can be used to find many hosts not on the public netblock. A very interesting tool to say the least. Works on both Nix and Windows based systems. Get it now!

Download SubScan v1.2

Search GulfTech
You can use the form below to search our site. Just enter the keyword or keywords to search.
Latest Advisories
Gentoo Linux Security Advisory - Cfengine (GLSA 200408-08)
Microsoft Security Bulletin Summary for August 2004
Microsoft Security Bulletin Re-Releases, August 2004
Slackware Security Advisory - sox (SSA:2004-223-03)
Slackware Security Advisory - imagemagick (SSA:2004-223-02)
Latest Vulnerabilities
TypePad Cross Site Scripting Vulnerability
AOL Instant Messenger aim:goaway URI Handler Buffer Overflow Vulnerability
Moodle post.php Cross Site Scripting Vulnerability
Page.cgi Remote Command Execution Vulnerability
Opera 7.53 Multiple Vulnerabilities
Latest Security News
Top 10 security modifications in Windows XP SP 2
Enhancing the enhanced security
Microsoft plugs hole in Exchange
How to bypass Active Directory controls
'Critical security hole' found in AOL IM

phpBugTracker Vulnerabilities
April 14, 2022

Vendor : Benjamin Curtis
Version : phpBugTracker 0.9.1
Risk : Multiple Vulnerabilities

phpBugTracker is meant to be a replacement for Bugzilla (one day). It's not quite there yet, but we're working on it. This project grew out of the frustrations I experienced in installing and using bugzilla. Those frustrations inspired my design goals: Simplicity in use and installation, Use templates to achieve presentation independence, Use a database abstraction layer to achieve database independence So this project will hopefully become a portable and powerful web-based bug tracking system.

SQL Injection:
phpBugTracker is prone to SQL Injection in several files. Some are not so dangerous, and others I would consider a pretty high risk. Lets look at the user.php for example to start off with.
$db->query("delete from ".TBL_BUG_VOTE." where user_id = $u and bug_id = $bug_id");
As we can see from that line of code taken from about line 30 of user.php it is clear that the $bug_id variable is passed into the query with no type of validation at all. Next lets have us a look at the bugs.php file. Around line 27 we will see the start of the vote_view() function. It too is vulnerable to SQL Injection attacks.
/// View the votes for a bug
function vote_view($bug_id) {
	global $u, $db, $t, $STRING;
	$t->assign('votes', $db->getAll('select login, v.created_date '.
		'from '.TBL_AUTH_USER.' u, '.TBL_BUG_VOTE." v ".
		"where u.user_id = v.user_id and bug_id = $bug_id ".
		'order by v.created_date'));
	$t->wrap('bugvotes.html', 'bugvotes');
This same type of SQL Injection vulnerability also resides in the vote_bug() function in bugs.php. It is the same thing really, the $bug_id variable is passed to the query unchecked. Now for query.php which has many problems with not validating input. Even more so than the previously mentioned files. First we see a problem in the delete_saved_query() function. Around line 27. Once again there is no input validation at all. Look at the $queryid variable.
function delete_saved_query($queryid) {
	global $db, $u, $me, $_gv;
	$db->query("delete from ".TBL_SAVED_QUERY." where user_id = $u
		and saved_query_id = $queryid");
	if (!empty($_gv['form']) and $_gv['form'] == 'advanced') {
		header("Location: $me?op=query&form;=advanced");
	} else {
		header("Location: $me?op=query");
There are also other SQL Injection issues in the query.php file. Namely with search queries, and the way they are sorted, or rather the sort method and the order are called from the GET parameters with no validation. Examples below


Cross Site Scripting:
There are a number of XSS (Cross Site Scripting) issues in phpBugTracker. And a good number of them result from the way phpBugTracker handles the output of error messages. For example, lets say an attacker is not knowledgeable in SQL, but he is still up to no good. he can easily use the previously mentioned SQL vulns, cause an error, and inject script or the like into the url thus causing whatever actions he likes to be taken. Below are some example requests.


Script Injection:
There is a problem with input not being validated when a user adds a bug to the phpBugTracker database. An attacker can use this problem to inject code into the fields when adding a bug, and then that code will be ran in the browser of anyone who views the particular bug.

frog-m@n from was kind enough to supply a fix for these issues :) The fix can be downloaded from the following link.;=169

The developers of phpBugTracker were contacted weeks ago and are believed to be in the process of supplying a fix for these issues.

Credits go to JeiAr of the GulfTech Security Research Team.

© Copyright 2002 - GulfTech Computers, All Rights Reserved
Contact GulfTech Computers