XOOPS video tube plugin SQL injection-vulnerability warning-the black bar safety net

2011-06-03T00:00:00
ID MYHACK58:62201130703
Type myhack58
Reporter 佚名
Modified 2011-06-03T00:00:00

Description

Publishing author: knife

Affected versions: 2.4.4

Official address: www.discuz.net

Vulnerability type: SQL injection

Plug-in: video tube 1.85 the following test only a 1.85)

Vulnerability file: reportvideopopup.php

vid variable filter is not strictly produce SQL Injection

if (isset($_GET['vid'])) $vid = $_GET['vid']; //you know if (isset($_POST['postreport'])) $op = 'postreport'; if (isset($_POST['reportclose'])) $op = 'reportclose'; if (isset($_GET['op'])) $op = $_GET['op']; if (isset($_POST['op'])) $op = $_POST['op']; switch($op) { case "generateform": $result = $xoopsDB->queryF("SELECT id, uid, cid, code, title, artist, service FROM ".$ xoopsDB->prefix("vp_videos")." WHERE id=".$ vid.""); $video = $xoopsDB->fetcharray($result);

POC:

http://www.020mg.com/reportvideopopup.php?op=generateform&vid=[sql]