lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201207061409.q66E9HWo004806@sf01web3.securityfocus.com>
Date: Fri, 6 Jul 2012 14:09:17 GMT
From: pereira@...biz.de
To: bugtraq@...urityfocus.com
Subject: BookNux 0.2 <= Multiple Vulnerabilities

#################################################
BookNux 0.2 <= Multiple Vulnerabilities
#################################################
 
Discovered by: Jean Pascal Pereira <pereira@...biz.de>
 
Vendor information:
 
"Commentics is a free, advanced PHP comment script with many features.
Professionally written and with open source code, its main aims are to be integrable, customizable and secure."
 
Vendor URI: http://www.commentics.org/
 
#################################################
 
Issues: SQL Injection, Cross Site Scripting
 
Risk-level: High
 
-------------------------------------
 
1. SQL Injection:

cat.php, line 70:
  
  $lnsql="SELECT NCategorie, LibCategorie, PriveCategorie, NCategorieMereCategorieX FROM categorie WHERE IdUtilisateurCategorieX='$idutilisateur' AND NCategorie=".$_GET['CatMere'];

cat.php, line 75:

  $lnsql="SELECT NCategorie,LibCategorie,NCategorieMereCategorieX, PriveCategorie FROM categorie WHERE IdUtilisateurCategorieX='$idutilisateur' AND NCategorieMereCategorieX=".$_GET['CatMere']." ORDER BY LibCategorie";

cat.php, line 92:

  $lnsql="SELECT LibCategorie, NCategorieMereCategorieX, PriveCategorie FROM categorie WHERE IdUtilisateurCategorieX='$idutilisateur' AND NCategorie=".$_GET['NCat'];

cat.php, line 117:

  $lnsql="SELECT NCategorie, LibCategorie FROM categorie WHERE IdUtilisateurCategorieX='$idutilisateur' AND NCategorie<>".$_GET['NCat'];

compte.php, line 152:

  $lnsql="SELECT PseudoUtilisateur, MotDePasseUtilisateur, IdUtilisateur FROM utilisateur WHERE IdUtilisateur='".$_GET['Compte']."'";

liens.php, line 108: 

  $lnsql="SELECT NLiens,LibLiens, UrlLiens, IdCategorieLiensX, CommentaireLiens, PriveLiens, LibCategorie, LangueLiens FROM liens, categorie WHERE IdCategorieLiensX=NCategorie AND NLiens=".$_GET['NLiens'];

liens.php, line 110:

  $lnsql="SELECT NLiens,LibLiens, UrlLiens, IdCategorieLiensX, CommentaireLiens, PriveLiens, LibCategorie, LangueLiens FROM liens, categorie WHERE IdCategorieLiensX=NCategorie AND NLiens=".$_GET['NLiens']." AND IdUtilisateurLiensX='$utilisateurcourant'";

ouvrir.php, line 23:

  $lnsql="SELECT NLiens, UrlLiens FROM liens WHERE NLiens=".$_GET['NLiens']." AND IdUtilisateurLiensX='$utilisateurcourant'";

ouvrir.php, line 25:

  $lnsql="SELECT NLiens, UrlLiens FROM liens WHERE NLiens=".$_GET['NLiens']." AND PriveLiens='N'";
 
-------------------------------------

2. Cross Site Scripting:

cat.php, line 96:

  echo("<input type=\"hidden\" name=\"Act\" value=\"".$_GET['Act']."\">");

cat.php, line 102:

  echo("<input type=\"hidden\" name=\"CatMere\" value=\"".$_GET['CatMere']."\">");

cat.php, line 205:

  echo("<input type=\"hidden\" name=\"ncat\" value=\"".$_GET['NCat']."\">");

liens.php, line 80:

  echo("<input type=\"hidden\" name=\"Methode\" value=\"".$_GET['Methode']."\">");

liens.php, line 86: 

  echo("<tr><td>".$texte['LibLiens']."</td><td><input name=\"libliens\" value=\"".utf8_encode(stripslashes($_GET['Lib']))."\"></td></tr>");

liens.php, line 91:

  echo("<tr><td>".$texte['UrlLiens']."</td><td><input name=\"urlliens\" value=\"".$_GET['Url']."\"></td></tr>");

liens.php, line 119:

  echo("<input type=\"hidden\" name=\"nliens\" value=\"".$_GET['NLiens']."\">");

parcourir.php, line 28: 

  <input name="recherche" value="<?if(isset($_GET['recherche'])){echo(stripslashes($_GET['recherche']));}?>">

proposerliens.php, line 39:

  echo("<input type=\"hidden\" name=\"idcatliens\" value=\"".$_GET['NCat']."\">");
 
-------------------------------------
 
Solution:
 
Do some input validation.
 
-------------------------------------
 
#################################################

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ