K-Search Crafted Image Upload Path Disclosure

2005-11-28T10:53:09
ID OSVDB:21128
Type osvdb
Reporter r0t(krustevs@googlemail.com)
Modified 2005-11-28T10:53:09

Description

Vulnerability Description

r0t has reported some vulnerabilities in K-Search, which can be exploited by malicious users to conduct SQL injection attacks.

Input passed to the "id", "stat", and "source" parameters in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

1. Input passed to the "term" parameter in "index.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples: /index.php?term=%23%25%23term%23%25%23&sm =Mekl%E7t&source=1&req=search

/index.php?term=%28%27r0t+checker%27%29&sm =Mekl%E7t&source=1&req=search

2. Input passed to the many parameters in "index.php" isn't properly sanitised before being used in a SQL query (Below examples).This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples: /index.php?req=edit&id=[SQL] /index.php?req=view&act=stat_all&stat=[SQL] /index.php?req=view&act=status&id=1&stat=[SQL] /index.php?req=view&act=status&id=[SQL] /index.php?req=delsite&id=[SQL] /index.php?req=search&source=[SQL]

  1. Into "/index.php?req=add" , upload image parameters isn't properly sanitised before being used in a SQL query. Attacker can get full instalisation path.

Solution Description

Edit the source code to ensure that input is properly sanitised. --No further solution information available.--

Short Description

r0t has reported some vulnerabilities in K-Search, which can be exploited by malicious users to conduct SQL injection attacks.

Input passed to the "id", "stat", and "source" parameters in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

1. Input passed to the "term" parameter in "index.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples: /index.php?term=%23%25%23term%23%25%23&sm =Mekl%E7t&source=1&req=search

/index.php?term=%28%27r0t+checker%27%29&sm =Mekl%E7t&source=1&req=search

2. Input passed to the many parameters in "index.php" isn't properly sanitised before being used in a SQL query (Below examples).This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples: /index.php?req=edit&id=[SQL] /index.php?req=view&act=stat_all&stat=[SQL] /index.php?req=view&act=status&id=1&stat=[SQL] /index.php?req=view&act=status&id=[SQL] /index.php?req=delsite&id=[SQL] /index.php?req=search&source=[SQL]

  1. Into "/index.php?req=add" , upload image parameters isn't properly sanitised before being used in a SQL query. Attacker can get full instalisation path.

Manual Testing Notes

http://exitingfun.org/index.php?term=%28%27kasper5150+checker%27%29&sm=Mekl%E7t&source=1&req=search

result: Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/searchpo/public_html/exitingfun/includes/do_search.php on line 246

http://exitingfun.org/includes/do_search.php?term=%28%27kasper5150+checker%27%29&sm=Mekl%E7t&source=1&req=search

result: Warning: Invalid argument supplied for foreach() in /home/searchpo/public_html/exitingfun/includes/do_search.php on line 129

Fatal error: Call to undefined function: queries() in /home/searchpo/public_html/exitingfun/includes/do_search.php on line 136

References:

Vendor URL: http://turn-k.net/k-search Secunia Advisory ID:17719 Related OSVDB ID: 21127 Other Advisory URL: http://pridels.blogspot.com/2005/11/k-search-multiple-vuln.html