lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <67e8180e9acf8c17d6aa5721dc1cecff.hackers@hackers.ir>
Date: Sat, 02 Sep 2006 01:10:32 +0430
From: "Omid" <omid@...kers.ir>
To: <bugtraq@...urityfocus.com>
Subject: Sql injections in e107 [Admin section]

Hi,
There are several sql injections in e107 0.7.5 admin section :

I) The "linkopentype", "linkrender" and "link_class" parameters are passed
to "db_Insert()" function without checking :

File /e107_admin/links.php, Line 496 :
>> $sql->db_Insert("links", "0, '$link_name', '$link_url', '$link_description', '$link_button', ".$_POST['linkrender'].", ".($link_t+1).", ".$parent_id.", ".$_POST['linkopentype'].", ".$_POST['link_class']);


II) The "linkopentype", "linkrender", "link_class" and "link_id" parameters
are passed to "db_Update()" and "db_Select()" functions without checking :

File /e107_admin/links.php, Line 480 :
>> $sql->db_Update("links", "link_parent='$parent_id', link_name='$link_name', link_url='$link_url', link_description='$link_description', link_button= '$link_button', link_category='".$_POST['linkrender']."', link_open='".$_POST['linkopentype']."', link_class='".$_POST['link_class']."' WHERE link_id='$id'");

File /e107_admin/links.php, Line 482 :
>> if($sql->db_Select("links", "*", "link_parent='{$id}'"))

POC :
-----
Go to "Admin" -> "Site Links" -> "Edit" section 
(/e107_admin/links.php?create.edit.1), and change the values of
"linkopentype", "linkrender", "link_class" and "link_id" inputs.


III) The "searchquery" parameter in file /e107_admin/users.php, line 448
is not checked against sql injection :
>> $_POST['searchquery'] = trim($_POST['searchquery']);
Which make the next query vulnerable .

POC :
-----
Go to users admin section (/e107_admin/users.php), and search for "1' SQL" .


IV) The "download_category_class" parameter is not checked properly before
using in the insert query :

File /e107_admin/download.php, Line 1320 :
>> admin_update($sql->db_Insert("download_category", "0, '$download_category_name', '$download_category_description', '$download_category_icon', '".intval($_POST['download_category_parent'])."', '".$_POST['download_category_class']."', 0 "), 'insert', DOWLAN_47);

These are in administration section, so they dont seem to be critical.


- Omid

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ