lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <200607212200.k6LM01bC018289@faron.mitre.org>
Date: Fri, 21 Jul 2006 18:00:01 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: info@...tor.ca
Cc: bugtraq@...urityfocus.com
Subject: Re: ATutor 1.5.3 Cross Site Scripting


>The mentioned SQL injection vulnerability is not possible. Please
>remove it.

Could you explain this further?

In 1.5.3, edit_forum() in forums.inc.php has the following:

	$sql	= "UPDATE ".TABLE_PREFIX."forums SET title='$_POST[title]', description='$_POST[body]' WHERE forum_id=$_POST[fid]";
	$result = mysql_query($sql,$db);

where is appears that $_POST[fid] is directly inserted into the SQL
query.

In 1.5.3.1, a new statement has been added to the same function, just
before the two statements above:

	$_POST['fid']    = intval($_POST['fid']);

This looks like cleansing that would be relevant for SQL injection.


For those who were wondering, both $_POST['title'] and $_POST['body']
are re-set using addslashes:

  $_POST['title']  = $addslashes($_POST['title']);
  $_POST['body']   = $addslashes($_POST['body']);


- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ