lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050308220554.542ac1c2@xaero.tvpro.net>
Date: Tue, 8 Mar 2005 22:05:54 +0300
From: kreon <kre0n@...l.ru>
To: bugtraq@...urityfocus.com
Subject: Wfsection 1.07 vulnerabilities


Program: wfsections
Verion: 1.07
Bug Type: SQL Injection
Bug Discription:
=================================
In file class/wfsfiles.php, we can see this function:
//START
function getAllbyArticle($articleid) {
	$db =& Database::getInstance();
	$table = $db->prefix("wfs_files");
	$ret = array();
	$sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid."";
	$result = $db->query($sql);
	while( $myrow = $db->fetchArray($result) ){
		$ret[] = new WfsFiles($myrow);
	}
	return $ret;
}
//END
Param $articleid inserts into sql-query without any checks, so we can
make sql-injection. Example:
http://[path]/[folder[/article.php?articleid=1[SQL Code[like OR 1=1]]
Patch: replace string 
$sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid."";
With string
$sql = "SELECT * FROM ".$table." WHERE
articleid=".intval($articleid)."";
=================================
Contact:
      // irc: #adz @ irc.quakenet.org
ADZ Security Team // http://adz.void.ru
=================================


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ