Computer Security

Security Advisory: wfsections 1.07 advisory
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  PHP, ASP, CGI web applications security vulnerabilities

  [Full-disclosure] [DRUPAL-SA-2005-001] New Drupal release fixes critical security issue

  [SA14515] Drupal Unspecified Cross-Site Scripting Vulnerability

  phpTourney 0.8.0 SQL-Injection

  LOOKNMEET HTML INJECT EXPLOIT

From:kreon <kre0n_(at)_mail.ru>
Date:07.03.2005
Subject:wfsections 1.07 advisory

Program: wfsections
Verion: 1.07
Bug Type: SQL Injection
Bug Discription:
=================================
In file class/wfsfiles.php, we can see this function:
//START
function getAllbyArticle($articleid) {
$db =& Database::getInstance();
$table = $db->prefix("wfs_files");
$ret = array();
$sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid."";
$result = $db->query($sql);
while( $myrow = $db->fetchArray($result) ){
$ret[] = new WfsFiles($myrow);
}
return $ret;
}
//END
Param $articleid inserts into sql-query without any checks, so we can make sql-injection.
Example:
http://[path]/[folder[/article.php?articleid=1[SQL Code[like OR 1=1]]
Patch: replace string
$sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid."";
With string
$sql = "SELECT * FROM ".$table." WHERE articleid=".intval($articleid)."";
=================================
Contact:
kreon // kre0n@mail.ru
     // icq: 332757541
     // irc: #adz @ irc.progress-tvk.ru
ADZ Security Team // http://adz.void.ru
=================================

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru