Wfsection 1.07 vulnerabilities
From: kreon (kre0n_at_mail.ru)
Date: 03/08/05
- Previous message: iDEFENSE Labs: "iDEFENSE Security Advisory 03.10.05: Ipswitch Collaboration Suite IMAP EXAMINE Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 8 Mar 2005 22:05:54 +0300 To: bugtraq@securityfocus.com
Program: wfsections
Verion: 1.07
Bug Type: SQL Injection
Bug Discription:
=================================
In file class/wfsfiles.php, we can see this function:
//START
function getAllbyArticle($articleid) {
$db =& Database::getInstance();
$table = $db->prefix("wfs_files");
$ret = array();
$sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid."";
$result = $db->query($sql);
while( $myrow = $db->fetchArray($result) ){
$ret[] = new WfsFiles($myrow);
}
return $ret;
}
//END
Param $articleid inserts into sql-query without any checks, so we can
make sql-injection. Example:
http://[path]/[folder[/article.php?articleid=1[SQL Code[like OR 1=1]]
Patch: replace string
$sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid."";
With string
$sql = "SELECT * FROM ".$table." WHERE
articleid=".intval($articleid)."";
=================================
Contact:
// irc: #adz @ irc.quakenet.org
ADZ Security Team // http://adz.void.ru
=================================
- Previous message: iDEFENSE Labs: "iDEFENSE Security Advisory 03.10.05: Ipswitch Collaboration Suite IMAP EXAMINE Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
