TUCoPS :: Web :: Apps :: b06-3947.htm

SQL injection Seir Anphin v666 Community Management System
SQL injection Seir Anphin v666 Community Management System
SQL injection Seir Anphin v666 Community Management System


CR Advisory#1=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
 programm: Seir Anphin v666 Community Management System=0D
      bug: SQL injection=0D
home page: www.comeplaydying.com=0D 
bug found: 27.07.2006=0D
=0D
discovered by CR=0D
www.svt.nukleon.us=0D 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
~! Details !~=0D
=============================================================================================0D
index.php=0D
^^^^^^^^^=0D
=0D
[code]=0D
....=0D
if (isset($HTTP_GET_VARS['styleid'])) {=0D
 $styleid = $HTTP_GET_VARS['styleid'];=0D
 $dbr->query("UPDATE {$dbr->p}user_options SET skin=$styleid WHERE userid=$userinfo[userid]");=0D
.....=0D
[/code]=0D
=0D
Variable $userinfo is not filtered on presence dangerous symbol, thank that, possible =0D
produce SQL injection=0D
=0D
=0D
[code]=0D
.....=0D
function loadskin($skinid)=0D
{=0D
   GLOBAL $dbr,$data;=0D
=0D
   $dbr->query("SELECT * FROM {$dbr->p}skins WHERE skinid=$skinid");=0D
.....=0D
[/code]=0D
=0D
Variable $skinid is not filtered on presence dangerous symbol, thank that, possible =0D
produce SQL injection=0D
=============================================================================================0D
article.php=0D
^^^^^^^^^^^=0D
=0D
[code]=0D
....=0D
if ($this->id != 0) {=0D
		$a['breadcrumbs'] = '';=0D
		$catid = $this->id;=0D
		$c = 1;=0D
		while ($c <= getsetting('max_crumb_depth')) {=0D
			if ($catid == 0) break;=0D
			$dbr->query("SELECT parentid,name,accesslvl_to_read,accesslvl_to_contribute,archive_mode FROM {$dbr->p}article_categories WHERE catid=$catid");=0D
			$cat = $dbr->getarray();=0D
			$crumb_array[] = array('id'=>$catid, 'name'=>stripslashes($cat['name']), 'accesslvl_to_read'=>$cat['accesslvl_to_read'], 'accesslvl_to_contribute'=>$cat['accesslvl_to_contribute']);=0D
			$catid = $cat['parentid'];=0D
			$c++;=0D
=0D
		}=0D
....=0D
[/code]=0D
=0D
Variable $catid is not filtered on presence dangerous symbol, thank that, possible =0D
produce SQL injection=0D
=0D
=0D
[code]=0D
....=0D
foreach ($HTTP_POST_VARS['orders'] as $pageid=>$displayorder) {=0D
			// Ensure, at this level, that user has admin, editor or author permission to do this.=0D
			$pass = FALSE;=0D
			if (isadmin() || iseditor()) $pass = TRUE;=0D
			$articleid = $dbr->result("SELECT articleid FROM {$dbr->p}article_pages WHERE pageid=$pageid");=0D
			$authorid  = $dbr->result("SELECT userid    FROM {$dbr->p}articles      WHERE articleid=$articleid");=0D
			if ($data->vars['user']['userid'] == $authorid) $pass = TRUE;=0D
			if ($pass) $dbr->query("UPDATE {$dbr->p}article_pages SET displayorder=$displayorder WHERE pageid=$pageid");=0D
		}=0D
....=0D
[/code]=0D
=0D
Variable $pageid, $articleid are not filtered on presence dangerous symbol, thank that, =0D
possible produce SQL injection=0D
=0D
=0D
=============================================================================================0D
blag.php=0D
^^^^^^^^^^^=0D
=0D
[code]=0D
.....=0D
if ($this->id != 0) {=0D
        $userid = $dbr->result("SELECT userid FROM {$dbr->p}user_blogs WHERE blogid=$blogid");=0D
	if (!isadmin() && $data->vars['user']['userid'] == $userid) {=0D
		setstatus('access_denied');=0D
		$this->id = $blogid;=0D
		return $this->show();=0D
	}=0D
}=0D
....=0D
[/code]=0D
=0D
Variable $blogid is not filtered on presence dangerous symbol, thank that, possible =0D
produce SQL injection=0D
=0D
=0D
[code]=0D
....=0D
$dbr->query("SELECT p.blogid, b.locked, b.allow_comments, b.isprivate, b.userid=0D
	     FROM {$dbr->p}user_blog_posts p=0D
	     LEFT JOIN {$dbr->p}user_blogs b ON b.blogid=p.blogid=0D
	     WHERE p.postid=$postid");=0D
....=0D
[/code]=0D
=0D
Variable $postid is not filtered on presence dangerous symbol, thank that, possible =0D
produce SQL injection=0D
=0D
=0D
=============================================================================================0D
example=0D
^^^^^^^^^^^=0D
http://www.example.com/index.php?m='=0D 
http://www.example.com/index.php?m=member&id='=0D 
http://www.example.com/index.php?m=article&id='=0D 
http://www.example.com/index.php?m=article&op=read&id='=0D 
http://www.example.com/index.php?m=blog&id='=0D 
http://www.example.com/index.php?m=blog&op=getpost&id='=0D 
=0D
=============================================================================================0D
CR [ www.svt.nukleon.us ] 2006 =E3.=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH