AChecker 1.2 Multiple Error-Based SQL Injection vulnerabilities

Title: AChecker 1.2 Multiple Error-Based SQL Injection vulnerabilities
Advisory ID: ZSL-2011-5034
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 06.08.2011
Summary
AChecker is an open source Web accessibility evaluation tool. It can be used to review the accessibility of Web pages based on a variety international accessibility guidelines.
Description
Input passed via the parameter 'myown_patch_id' in '/updater/patch_edit.php' and the parameter 'id' in '/user/user_create_edit.php' script is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

--------------------------------------------------------------------------------

/updater/patch_edit.php
----------------
20: if (!isset($_REQUEST["myown_patch_id"]))
21: {
22: $msg->addError('NO_ITEM_SELECTED');
23: exit;
24: }
25:
26: $myown_patch_id = $_REQUEST["myown_patch_id"];
27:
28: $myownPatchesDAO = new MyownPatchesDAO();
29: $myownPatchesDependentDAO = new MyownPatchesDependentDAO();
30: $myownPatchesFilesDAO = new MyownPatchesFilesDAO();
31:
32: // URL called by form action
33: $savant->assign('url', dirname($_SERVER['PHP_SELF']) . "/patch_creator.php?myown_patch_id=" . $myown_patch_id);
34:
35: $savant->assign('patch_row', $myownPatchesDAO->getByID($myown_patch_id));
36: $savant->assign('dependent_rows', $myownPatchesDependentDAO->getByPatchID($myown_patch_id));
37: $savant->assign('file_rows', $myownPatchesFilesDAO->getByPatchID($myown_patch_id));

/user/user_create_edit.php
----------------
103: if (isset($_GET['id'])) // edit existing user
104: {
105: $usersDAO = new UsersDAO();
106: $savant->assign('user_row', $usersDAO->getUserByID($_GET['id']));
107: $savant->assign('show_password', false);
108:
109: }

--------------------------------------------------------------------------------

Vendor
ATutor (Inclusive Design Institute) - http://www.atutor.ca
Affected Version
1.2 (build r530)
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
[03.08.2011] Submited vulnerability details to vendor's bug tracking system.
[05.08.2011] No reaction from vendor.
[06.08.2011] Public security advisory released.
[15.11.2011] Vendor releases fix.
PoC
achecker_sqli.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://atutor.ca/atutor/mantis/view.php?id=4803
[2] http://www.exploit-db.com/exploits/17630/
[3] http://securityreason.com/wlb_show/WLB-2011080044
[4] http://packetstormsecurity.org/files/103762
[5] http://www.securityfocus.com/bid/49061
[6] http://secunia.com/advisories/45559/
[7] http://xforce.iss.net/xforce/xfdb/69089
[8] http://osvdb.org/show/osvdb/74413
[9] http://osvdb.org/show/osvdb/74414
Changelog
[06.08.2011] - Initial release
[08.08.2011] - Added reference [4] and [5]
[09.08.2011] - Added reference [6]
[11.08.2011] - Added reference [7], [8] and [9]
[15.11.2011] - Added vendor status
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk