wfsections107.txt

2005-03-15T00:00:00
ID PACKETSTORM:36541
Type packetstorm
Reporter adz.void.ru
Modified 2005-03-15T00:00:00

Description

                                        
                                            `Program: wfsections  
Verion: 1.07  
Bug Type: SQL Injection  
Bug Discription:  
=================================  
In file class/wfsfiles.php, we can see this function:  
//START  
function getAllbyArticle($articleid) {  
$db =& Database::getInstance();  
$table = $db->prefix("wfs_files");  
$ret = array();  
$sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid."";  
$result = $db->query($sql);  
while( $myrow = $db->fetchArray($result) ){  
$ret[] = new WfsFiles($myrow);  
}  
return $ret;  
}  
//END  
Param $articleid inserts into sql-query without any checks, so we can  
make sql-injection. Example:  
http://[path]/[folder[/article.php?articleid=1[SQL Code[like OR 1=1]]  
Patch: replace string   
$sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid."";  
With string  
$sql = "SELECT * FROM ".$table." WHERE  
articleid=".intval($articleid)."";  
=================================  
Contact:  
// irc: #adz @ irc.quakenet.org  
ADZ Security Team // http://adz.void.ru  
=================================  
`