lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <d3b783f73a22895a6407774902405520.hackers@hackers.ir>
Date: Sun, 10 Sep 2006 13:37:28 +0430
From: "Omid" <omid@...kers.ir>
To: <bugtraq@...urityfocus.com>
Subject: Sql injection in Tikiwiki

Hi,
There are 2 sql injections in Tikiwiki 1.9.4 (and maybe before versions) :

I) There is a call to "get_process()" function in "tiki-g-admin_processes.php"
file, without checking "pid" parameter :

File /tiki-g-admin_processes.php, Line 35 :
:: $info = $processManager->get_process($_REQUEST["pid"]);

Lets take a look at the "get_process()" function :
File /lib/Galaxia/src/ProcessManager/ProcessManager.php, Line 419 :
::  function get_process($pId)
::  {
>>    $query = "select * from ".GALAXIA_TABLE_PREFIX."processes where pId=$pId";
::    $result = $this->query($query);
::    if(!$result->numRows()) return false;
::    $res = $result->fetchRow();
::    return $res;
::  }


II) The "where" parameter in "tiki-g-admin_processes.php" file, is not
checked properly :

File /tiki-g-admin_processes.php, Line 155 :
:: if (isset($_REQUEST['where'])) {
>> 	$where = $_REQUEST['where'];
:: }

File /tiki-g-admin_processes.php, Line 183 :
:: $items = $processManager->list_processes($offset, $maxRecords, $sort_mode, $find, $where);

File /lib/Galaxia/src/ProcessManager/ProcessManager.php, Line 442 :
::    if($where) {
::      if($mid) {
::        $mid.= " and ($where) ";
::      } else {
>>        $mid.= " where ($where) ";
::      }
::    }
>>    $query = "select * from ".GALAXIA_TABLE_PREFIX."processes $mid order by $sort_mode";
::    $query_cant = "select count(*) from ".GALAXIA_TABLE_PREFIX."processes $mid";
::    $result = $this->query($query,$bindvars,$maxRecords,$offset);

The original advisory (in Persian) is located at :
http://www.hackers.ir/advisories/tikiwiki.html


- Omid

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ