I discovered 5 SQL injection vulnerabilities in PvPGN Stats version 2.4.6.
There is not a patch available at the time of this posting because the code is using functions which are deprecated and will require a complete rewrite. Would not recommend using this utility until a new version is released fixing these vulnerabilities.
I wouldn’t recommend for anyone to host this utility in its current state.
Current SQL handler classes do not filter database queries, allowing SQL injection vulnerabilities An attacker can obtain full access to PvPGN database including all emails, usernames, and passwords (easy to crack XSHA1) In addition to the SQL injection vulnerabilities, the mysql_* database functions have been removed from PHP7 in favor of MySQLi and PDO, so it won’t run on new OS installs, for example Debian 9.
Both issues can be fixed by updating the code to use PDO. I began working on a patch but didn’t finish it yet, hopefully someone else who is more familiar with PHP can upgrade the util.
SQL Injection Vulnerable Parameters:
POST /ladder/stats.php?action=search HTTP/1.1 game=W2BN&type=team&user_search=[INJECT]&x=1&y=10
CVE-2017-18288, CVE-2017-18289, CVE-2017-18290:
GET /ladder/stats.php?game=[INJECT]&type=[INJECT]&sortBy=username&sort_direction=[INJECT] HTTP/1.1
GET /ladder/stats.php?game=W2BN&type=1&user=[INJECT] HTTP/1.1