lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 30 Jul 2006 12:57:05 -0000
From: vulnerabilities@...l.ru
To: bugtraq@...urityfocus.com
Subject: SQL injection Seir Anphin v666 Community Management System

CR Advisory#1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 programm: Seir Anphin v666 Community Management System
      bug: SQL injection
home page: www.comeplaydying.com
bug found: 27.07.2006

discovered by CR
www.svt.nukleon.us
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~! Details !~
============================================================================================
index.php
^^^^^^^^^

[code]
....
if (isset($HTTP_GET_VARS['styleid'])) {
 $styleid = $HTTP_GET_VARS['styleid'];
 $dbr->query("UPDATE {$dbr->p}user_options SET skin=$styleid WHERE userid=$userinfo[userid]");
.....
[/code]

Variable $userinfo is not filtered on presence dangerous symbol, thank that, possible 
produce SQL injection


[code]
.....
function loadskin($skinid)
{
   GLOBAL $dbr,$data;

   $dbr->query("SELECT * FROM {$dbr->p}skins WHERE skinid=$skinid");
.....
[/code]

Variable $skinid is not filtered on presence dangerous symbol, thank that, possible 
produce SQL injection
============================================================================================
article.php
^^^^^^^^^^^

[code]
....
if ($this->id != 0) {
		$a['breadcrumbs'] = '';
		$catid = $this->id;
		$c = 1;
		while ($c <= getsetting('max_crumb_depth')) {
			if ($catid == 0) break;
			$dbr->query("SELECT parentid,name,accesslvl_to_read,accesslvl_to_contribute,archive_mode FROM {$dbr->p}article_categories WHERE catid=$catid");
			$cat = $dbr->getarray();
			$crumb_array[] = array('id'=>$catid, 'name'=>stripslashes($cat['name']), 'accesslvl_to_read'=>$cat['accesslvl_to_read'], 'accesslvl_to_contribute'=>$cat['accesslvl_to_contribute']);
			$catid = $cat['parentid'];
			$c++;

		}
....
[/code]

Variable $catid is not filtered on presence dangerous symbol, thank that, possible 
produce SQL injection


[code]
....
foreach ($HTTP_POST_VARS['orders'] as $pageid=>$displayorder) {
			// Ensure, at this level, that user has admin, editor or author permission to do this.
			$pass = FALSE;
			if (isadmin() || iseditor()) $pass = TRUE;
			$articleid = $dbr->result("SELECT articleid FROM {$dbr->p}article_pages WHERE pageid=$pageid");
			$authorid  = $dbr->result("SELECT userid    FROM {$dbr->p}articles      WHERE articleid=$articleid");
			if ($data->vars['user']['userid'] == $authorid) $pass = TRUE;
			if ($pass) $dbr->query("UPDATE {$dbr->p}article_pages SET displayorder=$displayorder WHERE pageid=$pageid");
		}
....
[/code]

Variable $pageid, $articleid are not filtered on presence dangerous symbol, thank that, 
possible produce SQL injection


============================================================================================
blag.php
^^^^^^^^^^^

[code]
.....
if ($this->id != 0) {
        $userid = $dbr->result("SELECT userid FROM {$dbr->p}user_blogs WHERE blogid=$blogid");
	if (!isadmin() && $data->vars['user']['userid'] == $userid) {
		setstatus('access_denied');
		$this->id = $blogid;
		return $this->show();
	}
}
....
[/code]

Variable $blogid is not filtered on presence dangerous symbol, thank that, possible 
produce SQL injection


[code]
....
$dbr->query("SELECT p.blogid, b.locked, b.allow_comments, b.isprivate, b.userid
	     FROM {$dbr->p}user_blog_posts p
	     LEFT JOIN {$dbr->p}user_blogs b ON b.blogid=p.blogid
	     WHERE p.postid=$postid");
....
[/code]

Variable $postid is not filtered on presence dangerous symbol, thank that, possible 
produce SQL injection


============================================================================================
example
^^^^^^^^^^^
http://www.example.com/index.php?m='
http://www.example.com/index.php?m=member&id='
http://www.example.com/index.php?m=article&id='
http://www.example.com/index.php?m=article&op=read&id='
http://www.example.com/index.php?m=blog&id='
http://www.example.com/index.php?m=blog&op=getpost&id='

============================================================================================
                              CR [ www.svt.nukleon.us ] 2006 ã.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ