Latest and previous versions of the script are impacted

Apr 6, 2015 09:26 GMT  ·  By

An SQL injection vulnerability has been discovered for phpSFP, a platform that allows scheduling different types of posts on Facebook, offering a malicious actor the possibility to extract the log-in credentials of the administrators.

phpSFP is a PHP script that can be added to websites for managing content shared on Facebook pages and groups. Its functions permit sending messages, advertisements, event news and other content. All posts benefit from a preview before they go live on the social network.

Proof-of-concept publicly released

Security researcher Pichaya Morimoto has found that the scheduling instrument is susceptible to SQL injection, a type of attack aimed at web apps that can lead to reading sensitive information from a database on the system.

The flaw consists in insufficient sanitization of SQL queries in the “remember me” function for the authentication password in the log-in form.

Morimoto explains that the glitch exists in the current version (1.5.6) of phpSFP, and he provides details about the weakness in a post on Full Disclosure mailing list.

“The bug itself is quite interesting.. the author did well in login function but failed to parameterize/escape SQL query in 'remember me' function in authentication phrase,” the researcher says.

He also made available proof-of-concept code that demonstrates the flaw for both the current variant of the script and an earlier one (1.4.1), which is distributed on underground forums.

Script is also popular among spammers

The price for a regular phpSFP license is $14 / €13, while the cost for an extended license reaches $70 / €64. The difference between them consists in the fact that for the latter option the buyer can charge the users of the platform.

On the Codecanyon script and code marketplace, it is listed with almost 1,200 sales and a rating of 4.7 out of five. Its popularity is not reflected in these numbers alone, as a cracked version is often used by scammers to publish spam and other type of deceitful content on Facebook.

Scheduling a Facebook post via phpSFP script
Scheduling a Facebook post via phpSFP script

Photo Gallery (2 Images)

Queue for scheduled posts in demo of phpSFP
Scheduling a Facebook post via phpSFP script
Open gallery