lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051213235206.29613.qmail@securityfocus.com>
Date: 13 Dec 2005 23:52:06 -0000
From: grudge@...urityfocus.com, simplemachines@...urityfocus.com,
	org@...urityfocus.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: Re: [KAPDA::#16] - SMF SQL Injection


Remember, SMF only shows database syntax errors to administrators anyway, so they would not even see the query string itself. All the average user trying this gets is "A database error has occured".

Either way securityfocus have kindly removed the advisory so we're happy.

[quote]
mphhh, correct...
the only problem I see is path disclosure, 'cause you can inject only a one char string:

http://[target]/smfrc1/index.php?action=mlist;sort=realName;start=\;desc

query becomes:

SELECT COUNT(ID_MEMBER) FROM smf_members WHERE LOWER(SUBSTRING(realName, 1, 1)) < '\' AND is_activated = 1

and at screen, you have:

Errore di sintassi nella query SQL vicino a ''\'
AND is_activated = 1' linea 3
File: [full_application_path]Memberlist.php
Line: 162

but I think you cannot inject commands...
[/quote]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ