Wfsection 1.07 vulnerabilities

From: kreon (kre0n_at_mail.ru)
Date: 03/08/05

  • Next message: Detection Services - IS Security: "RE: Windows Server 2003 and XP SP2 LAND attack vulnerability"
    Date: Tue, 8 Mar 2005 22:05:54 +0300
    To: bugtraq@securityfocus.com
    
    

    Program: wfsections
    Verion: 1.07
    Bug Type: SQL Injection
    Bug Discription:
    =================================
    In file class/wfsfiles.php, we can see this function:
    //START
    function getAllbyArticle($articleid) {
            $db =& Database::getInstance();
            $table = $db->prefix("wfs_files");
            $ret = array();
            $sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid."";
            $result = $db->query($sql);
            while( $myrow = $db->fetchArray($result) ){
                    $ret[] = new WfsFiles($myrow);
            }
            return $ret;
    }
    //END
    Param $articleid inserts into sql-query without any checks, so we can
    make sql-injection. Example:
    http://[path]/[folder[/article.php?articleid=1[SQL Code[like OR 1=1]]
    Patch: replace string
    $sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid."";
    With string
    $sql = "SELECT * FROM ".$table." WHERE
    articleid=".intval($articleid)."";
    =================================
    Contact:
          // irc: #adz @ irc.quakenet.org
    ADZ Security Team // http://adz.void.ru
    =================================


  • Next message: Detection Services - IS Security: "RE: Windows Server 2003 and XP SP2 LAND attack vulnerability"

    Relevant Pages

    • Re: Graph traversieren wie ein Petri-Netz
      ... @param strValue zu prüfender String ... public static final boolean empty{ ... @param strBuffValue zu prüfender StringBuffer ...
      (de.comp.lang.java)
    • Re: Hashtable question
      ... * @param modelName is a filename less the .pim extension where the ... public void load() throws IOException { ... public void add(String keyString, Item item) ... * @param keyString the string to lookup by. ...
      (comp.lang.java.programmer)
    • Re: which JAR to use ?
      ... scan for a string that leads into the piece you want with indexOf. ... public static String getWantedCurrencies throws IOException ... * @param result Results to save, ... public static String get(String websiteURL, String relativeURL, ...
      (comp.lang.java.programmer)
    • Re: Time - BuffererdReader takes read in data - store in hash Map TAKING FOREVER
      ... then convert to string, then parse it yourself. ... @param prefix ... @exception IOException ... public static byterawReadEntireFile (File fromFile) throws ...
      (comp.lang.java.programmer)
    • Re: Sencha Touch--Support 2 browsers in just 228K!
      ... this particular script is so awful that anyone who could ... These functions are available on every String object. ... if (!dom) { ... @param o The object with the attributes ...
      (comp.lang.javascript)