lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.21.0509160039510.29826-100000@laura.nettrade.de>
Date: Fri, 16 Sep 2005 00:44:38 +0200 (MEST)
From: Matthias Jim Knopf <jim@...rs.de>
To: Paul Laudanski <zx@...tlecops.com>
Cc: r.verton@...il.com, bugtraq@...urityfocus.com,
	bugs@...uritytracker.com, moderators@...db.org, news@...uriteam.com,
	vuln@...unia.com
Subject: Re: PHP Nuke <= 7.8 Multiple SQL Injections


What do you gain from that? In what way would you think your advice did
ANYTHING GOOD?
You did neither issue a "addslashes()" as appropriate for SQL-commands, 
nor did you explain, why a variable set by a POST or a COOKIE could be
worse than anything you could give any URL by appending '?name=...' or
'&name=...' (->GET vars)

Greetings, Matthias "jim" Knopf
-- 
GPG/PGP encrypted mails welcome!
Windose Milenium Bug

> > PHP Nuke 7.8 is prone to multiple SQL injection vulnerabilities.
> > These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
> > 
> > In the modules.php
> > 
> > $result = $db->sql_query("SELECT active, view FROM ".$prefix."_modules WHERE title='$name'");
> > 
> > The $name variable is not checked so you could inject malicious SQL Code. In an file which is included whe have the following code:
[...]
> The $name variable and others like $sid are expected via $_GET and not 
> $_POST.  The proper start to sanitizing the data here is to ensure that 
> $name is obtained via $_GET and not injected by $_POST, $_COOKIE, or 
> anything else.
[...]
> To be specific, find the modules.php file and check for the first instance 
> of "$name".  An example:
> 
> "if (isset($name)) {"
> 
> Prior to that, simply put in such a line:
> 
> $name = $_GET['name'];

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ