| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 6 Aug 2005 23:58:53 -0000
From: svt@....nukleon.us
To: bugtraq@...urityfocus.com
Subject: [SVadvisory#13] - SQL injection in MYFAQ 1.0
SVadvisory#13
*******************************
title: SQL injection
product: MYFAQ
version: V1.0
site: http://vpontier.free.fr/
*******************************
=====================================================================================
Vulnerability
==============
1) affichagefaq.php3 Code:
--------------------------
<?php
....
$Requete = "SELECT LIBELLE FROM THEMES WHERE ID_THEME = $Theme";
$Liste = mysql_db_query($Base,$Requete);
$Ret = mysql_fetch_array($Liste);
....
$Requete = "SELECT LIBELLE FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
$Liste = mysql_db_query($Base,$Requete);
$Ret = mysql_fetch_array($Liste);
....
$Requete="SELECT * FROM SOLUTIONS WHERE ID_FAQ = $Question";
$Liste = mysql_db_query($Base,$Requete);
?>
Variable $Theme, $SousTheme, $Question is not filtered on presence dangerous
symbol that can bring about SQL injection.
=======================================================================================
2) choixsoustheme.php3 code:
----------------------------
<?php
....
$Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme";
$TitreTh = mysql_query($Requete,$Connect_MySql);
....
?>
In the same way in file choixsoustheme.php3, variable $Theme is not filtered
on presence dangerous symbol that can bring about SQL injection
=======================================================================================
3) consultation.php3 code:
--------------------------
<?php
....
$Requete = "SELECT * FROM FAQ WHERE ID_THEME = $Theme AND ID_SOUSTHEME = $SousTheme ORDER BY DATECRE;";
$ListeFaq = mysql_db_query($Base,$Requete);
....
$Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme;";
$TitreTh = mysql_query($Requete,$Connect_MySql);
....
$Requete = "SELECT * FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
$TitreSTh = mysql_db_query($Base,$Requete);
....
?>
Variable $Theme, $SousTheme are not filtered on presence dangerous symbol,
From - for this appears criticality SQL injection
=======================================================================================
4) inssolution.php3 code:
-------------------------
<?php
....
$Requete = "SELECT * FROM FAQ WHERE ID_FAQ = $Faq";
$ResIns = mysql_db_query($Base,$Requete);
....
?>
Variable $Faq is not filtered on presence dangerous symbol that brings
about criticality SQL injection
=======================================================================================
In the same way in following file variable $Theme, $SousTheme and $Faq are not
filtered on presence dangerous symbol:
$Theme $SousTheme $Faq
------------------ ------------------ ------------------
insfaq.php3 insfaq.php3 saisiefaq.php3
inssoustheme.php3 inssoustheme.php3 voirfaq.php3
instheme.php3 saisiefaq.php3
saisiefaqtotale.php3 saisiefaqtotale.php3
saisiesoustheme.php3 voirfaq.php3
voirfaq.php3
=======================================================================================
More new versions does not contain these criticality
=======================================================================================
Bug found
=========
CENSORED ~ Search Vulnerabilities Team ~ http://svt.nukleon.us
Powered by blists - more mailing lists