Lucene search
K

seirCMS.txt

🗓️ 17 Aug 2006 00:00:00Reported by CRType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 26 Views

Seir Anphin v666 has SQL injection vulnerabilities in variables not properly filtered.

Code
`CR Advisory#1  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
programm: Seir Anphin v666 Community Management System  
bug: SQL injection  
home page: www.comeplaydying.com  
bug found: 27.07.2006  
  
discovered by CR  
www.svt.nukleon.us  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
~! Details !~  
============================================================================================  
index.php  
^^^^^^^^^  
  
[code]  
....  
if (isset($HTTP_GET_VARS['styleid'])) {  
$styleid = $HTTP_GET_VARS['styleid'];  
$dbr->query("UPDATE {$dbr->p}user_options SET skin=$styleid WHERE userid=$userinfo[userid]");  
.....  
[/code]  
  
Variable $userinfo is not filtered on presence dangerous symbol, thank that, possible   
produce SQL injection  
  
  
[code]  
.....  
function loadskin($skinid)  
{  
GLOBAL $dbr,$data;  
  
$dbr->query("SELECT * FROM {$dbr->p}skins WHERE skinid=$skinid");  
.....  
[/code]  
  
Variable $skinid is not filtered on presence dangerous symbol, thank that, possible   
produce SQL injection  
============================================================================================  
article.php  
^^^^^^^^^^^  
  
[code]  
....  
if ($this->id != 0) {  
$a['breadcrumbs'] = '';  
$catid = $this->id;  
$c = 1;  
while ($c <= getsetting('max_crumb_depth')) {  
if ($catid == 0) break;  
$dbr->query("SELECT parentid,name,accesslvl_to_read,accesslvl_to_contribute,archive_mode FROM {$dbr->p}article_categories WHERE catid=$catid");  
$cat = $dbr->getarray();  
$crumb_array[] = array('id'=>$catid, 'name'=>stripslashes($cat['name']), 'accesslvl_to_read'=>$cat['accesslvl_to_read'], 'accesslvl_to_contribute'=>$cat['accesslvl_to_contribute']);  
$catid = $cat['parentid'];  
$c++;  
  
}  
....  
[/code]  
  
Variable $catid is not filtered on presence dangerous symbol, thank that, possible   
produce SQL injection  
  
  
[code]  
....  
foreach ($HTTP_POST_VARS['orders'] as $pageid=>$displayorder) {  
// Ensure, at this level, that user has admin, editor or author permission to do this.  
$pass = FALSE;  
if (isadmin() || iseditor()) $pass = TRUE;  
$articleid = $dbr->result("SELECT articleid FROM {$dbr->p}article_pages WHERE pageid=$pageid");  
$authorid = $dbr->result("SELECT userid FROM {$dbr->p}articles WHERE articleid=$articleid");  
if ($data->vars['user']['userid'] == $authorid) $pass = TRUE;  
if ($pass) $dbr->query("UPDATE {$dbr->p}article_pages SET displayorder=$displayorder WHERE pageid=$pageid");  
}  
....  
[/code]  
  
Variable $pageid, $articleid are not filtered on presence dangerous symbol, thank that,   
possible produce SQL injection  
  
  
============================================================================================  
blag.php  
^^^^^^^^^^^  
  
[code]  
.....  
if ($this->id != 0) {  
$userid = $dbr->result("SELECT userid FROM {$dbr->p}user_blogs WHERE blogid=$blogid");  
if (!isadmin() && $data->vars['user']['userid'] == $userid) {  
setstatus('access_denied');  
$this->id = $blogid;  
return $this->show();  
}  
}  
....  
[/code]  
  
Variable $blogid is not filtered on presence dangerous symbol, thank that, possible   
produce SQL injection  
  
  
[code]  
....  
$dbr->query("SELECT p.blogid, b.locked, b.allow_comments, b.isprivate, b.userid  
FROM {$dbr->p}user_blog_posts p  
LEFT JOIN {$dbr->p}user_blogs b ON b.blogid=p.blogid  
WHERE p.postid=$postid");  
....  
[/code]  
  
Variable $postid is not filtered on presence dangerous symbol, thank that, possible   
produce SQL injection  
  
  
============================================================================================  
example  
^^^^^^^^^^^  
http://www.example.com/index.php?m='  
http://www.example.com/index.php?m=member&id='  
http://www.example.com/index.php?m=article&id='  
http://www.example.com/index.php?m=article&op=read&id='  
http://www.example.com/index.php?m=blog&id='  
http://www.example.com/index.php?m=blog&op=getpost&id='  
  
============================================================================================  
CR [ www.svt.nukleon.us ] 2006 ã.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Aug 2006 00:00Current
7.4High risk
Vulners AI Score7.4
26