Vulners
Lucene search
subdreamerSQL.txt
`
//*==========================================*//
\\ GHC -> Subdreamer <- ADVISORY
// Product: Subdreamer
\\ Version: Subdreamer Light
// URL: www.subdreamer.com
\\ VULNERABILITY CLASS: SQL injection
//*==========================================*//
[Product Description]
"Powered by PHP and MySQL, Subdreamer provides the ability to create dynamic websites while giving full control over every section of the site.
A powerful content management system with an amazing skin engine which provides users with unique and cool looking skins!" (from homepage).
Subdreamer is non-free CMS.
Freeware version - Subdreamer Light - avaliable for download.
[Summary]
Unsufficient filtration of user input data can lead to SQL injection vulnerability .
[Details]
In case if magic_quotes_gpc=0, some global arrays drive through
addslashes() function.
--[script includes/core.php]--
if(!get_magic_quotes_gpc()) // add slashes if gpc is off
{
$_POST = AddSlashesArray($_POST);
$_GET = AddSlashesArray($_GET);
$_COOKIE = AddSlashesArray($_COOKIE);
--[/script includes/core.php]--
But in script's functions variables are defined as "global", not from global POST or GET arrays.
This can lead to avoid filtration with addslashes() if register_global=1.
--[script includes/core.php]--
if(function_exists('ini_get'))
{
$globalsoption = ini_get('register_globals');
}
else
{
$globalsoption = get_cfg_var('register_globals');
}
if($globalsoption != 1)
{
@extract($HTTP_SERVER_VARS, EXTR_SKIP);
@extract($HTTP_COOKIE_VARS, EXTR_SKIP);
@extract($HTTP_POST_FILES, EXTR_SKIP);
@extract($HTTP_POST_VARS, EXTR_SKIP);
@extract($HTTP_GET_VARS, EXTR_SKIP);
@extract($HTTP_ENV_VARS, EXTR_SKIP);
@extract($HTTP_SESSION_VARS, EXTR_SKIP);
}
--[/script includes/core.php]--
In this case an attacker can make SQL injection assault through some variables which are defined as global in functions.
EXAMPLE
+--------------+
|SQL injection |
+--------------+
Vulnerable script: plugins/p17_image_gallery/imagegallery.php
--[code]--
function p17_DisplayImages($sectionid, $start)
{
global $DB;
global $categoryid;
global $p17_imageid;
[...]
if(isset($p17_imageid))
{
$image = $DB->query_first("SELECT * FROM p17_images WHERE imageid = '$p17_imageid'");
[...]
<td style="padding-top: 20px;" align="center"><img src="plugins/p17_image_gallery/images/'.$image['filename'].'" /></td>
--[/code]--
[Exploit]
http://subdreamer/index.php?categoryid=3&p17_sectionid=1&p17_imageid=[SQL code]
/* ================================================== */
/* www.ghc.ru -- security games & challenges */
/* ================================================== */
/* greets to: 1dt.w0lf & RST.void.ru */
/* and e-defense group. */
/* ================================================== */
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Mar 2005 00:00Current
7.4High risk
Vulners AI Score7.4