| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <47FBDF4D.7090002@keamera.org>
Date: Tue, 08 Apr 2008 23:10:37 +0200
From: lists <lists@...mera.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Pligg 9.9.0 editlink.php SQL
Injection Vulnerability
While writing a little patch I found many other problems: variables are
simply not checked or checked in the very wrong way
- This is the case of my previous mail, editlink.php:
if(isset($_GET['id'])){
$theid = strip_tags($_GET['id']);
}
if(isset($_POST['id'])){
$theid = strip_tags($_POST['id']);
}
[...]
$link = $db->get_row("SELECT link_id, link_author FROM " . table_links .
" WHERE link_id=".$theid.";")
[...]
$linkres->id=$link_id = strip_tags($_POST['id']);
$linkres->read();
libs/link.php:
function read($usecache = TRUE) {
$id = $this->id;
$link = $db->get_row("SELECT " . table_links . ".* FROM " . table_links
. " WHERE link_id = $id");
}
- Another one, vote.php:
$link->id=$_POST['id'];
$link->read_basic();
link/link.php:
$id = $this->id;
$db->get_row("SELECT link_comments, link_author, link_status,
link_randkey, link_category, link_date, link_votes, link_karma,
link_published_date FROM " . table_links . " WHERE link_id = $id")
..and so on.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists