Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13703
HistoryAug 02, 2006 - 12:00 a.m.

SQL injection Seir Anphin v666 Community Management System

2006-08-0200:00:00
vulners.com
8
JSON

CR Advisory#1

 programm: Seir Anphin v666 Community Management System
      bug: SQL injection
home page: www.comeplaydying.com
bug found: 27.07.2006

discovered by CR
www.svt.nukleon.us

~! Details !~

index.php
^^^^^^^^^

[code]

if (isset($HTTP_GET_VARS['styleid'])) {
$styleid = $HTTP_GET_VARS['styleid'];
$dbr->query("UPDATE {$dbr->p}user_options SET skin=$styleid WHERE userid=$userinfo[userid]");

[/code]

Variable $userinfo is not filtered on presence dangerous symbol, thank that, possible
produce SQL injection

[code]

function loadskin($skinid)
{
GLOBAL $dbr,$data;

$dbr->query("SELECT * FROM {$dbr->p}skins WHERE skinid=$skinid");

[/code]

Variable $skinid is not filtered on presence dangerous symbol, thank that, possible
produce SQL injection

article.php
^^^^^^^^^^^

[code]

if ($this->id != 0) {
$a['breadcrumbs'] = '';
$catid = $this->id;
$c = 1;
while ($c <= getsetting('max_crumb_depth')) {
if ($catid == 0) break;
$dbr->query("SELECT parentid,name,accesslvl_to_read,accesslvl_to_contribute,archive_mode FROM {$dbr->p}article_categories WHERE catid=$catid");
$cat = $dbr->getarray();
$crumb_array[] = array('id'=>$catid, 'name'=>stripslashes($cat['name']), 'accesslvl_to_read'=>$cat['accesslvl_to_read'], 'accesslvl_to_contribute'=>$cat['accesslvl_to_contribute']);
$catid = $cat['parentid'];
$c++;

            }


[/code]

Variable $catid is not filtered on presence dangerous symbol, thank that, possible
produce SQL injection

[code]

foreach ($HTTP_POST_VARS['orders'] as $pageid=>$displayorder) {
// Ensure, at this level, that user has admin, editor or author permission to do this.
$pass = FALSE;
if (isadmin() || iseditor()) $pass = TRUE;
$articleid = $dbr->result("SELECT articleid FROM {$dbr->p}article_pages WHERE pageid=$pageid");
$authorid = $dbr->result("SELECT userid FROM {$dbr->p}articles WHERE articleid=$articleid");
if ($data->vars['user']['userid'] == $authorid) $pass = TRUE;
if ($pass) $dbr->query("UPDATE {$dbr->p}article_pages SET displayorder=$displayorder WHERE pageid=$pageid");
}

[/code]

Variable $pageid, $articleid are not filtered on presence dangerous symbol, thank that,
possible produce SQL injection

============================================================================================
blag.php
^^^^^^^^^^^

[code]

if ($this->id != 0) {
$userid = $dbr->result("SELECT userid FROM {$dbr->p}user_blogs WHERE blogid=$blogid");
if (!isadmin() && $data->vars['user']['userid'] == $userid) {
setstatus('access_denied');
$this->id = $blogid;
return $this->show();
}
}

[/code]

Variable $blogid is not filtered on presence dangerous symbol, thank that, possible
produce SQL injection

[code]

$dbr->query("SELECT p.blogid, b.locked, b.allow_comments, b.isprivate, b.userid
FROM {$dbr->p}user_blog_posts p
LEFT JOIN {$dbr->p}user_blogs b ON b.blogid=p.blogid
WHERE p.postid=$postid");

[/code]

Variable $postid is not filtered on presence dangerous symbol, thank that, possible
produce SQL injection

============================================================================================
example
^^^^^^^^^^^
http://www.example.com/index.php?m=&#39;
http://www.example.com/index.php?m=member&amp;id=&#39;
http://www.example.com/index.php?m=article&amp;id=&#39;
http://www.example.com/index.php?m=article&amp;op=read&amp;id=&#39;
http://www.example.com/index.php?m=blog&amp;id=&#39;
http://www.example.com/index.php?m=blog&amp;op=getpost&amp;id=&#39;

============================================================================================
CR [ www.svt.nukleon.us ] 2006 г.

JSON