lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 11 Dec 2005 12:29:17 -0000
From: polnby@...oo.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: [KAPDA::#16] - SMF SQL Injection


Take a better look at your \'Memberlist.php\' source code.

// Select the members from the database.
	$request = db_query(\"
		SELECT mem.ID_MEMBER
		FROM {$db_prefix}members AS mem
			LEFT JOIN {$db_prefix}log_online AS lo ON (lo.ID_MEMBER = mem.ID_MEMBER)
			LEFT JOIN {$db_prefix}membergroups AS mg ON (mg.ID_GROUP = IF(mem.ID_GROUP = 0, mem.ID_POST_GROUP, mem.ID_GROUP))
		WHERE mem.is_activated = 1
		ORDER BY \" . $sort_methods[$_REQUEST[\'sort\']][$context[\'sort_direction\']] . \"
		LIMIT $_REQUEST[start], $modSettings[defaultMaxMembers]\", __FILE__, __LINE__);
	printMemberListRows($request);
	mysql_free_result($request);
----------------------

// Find the members from the database.
		// !!!SLOW This query is slow.
		$request = db_query(\"
			SELECT mem.ID_MEMBER
			FROM {$db_prefix}members AS mem
				LEFT JOIN {$db_prefix}log_online AS lo ON (lo.ID_MEMBER = mem.ID_MEMBER)
				LEFT JOIN {$db_prefix}membergroups AS mg ON (mg.ID_GROUP = IF(mem.ID_GROUP = 0, mem.ID_POST_GROUP, mem.ID_GROUP))
			WHERE \" . implode(\" $query OR \", $fields) . \" $query$condition
				AND is_activated = 1
			LIMIT $_REQUEST[start], $modSettings[defaultMaxMembers]\", __FILE__, __LINE__);
		printMemberListRows($request);
		mysql_free_result($request);
----------------------

Isn`t posible for an attacker to modify the query logic?

Powered by blists - more mailing lists