seirCMS.txt

`CR Advisory#1  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
programm: Seir Anphin v666 Community Management System  
bug: SQL injection  
home page: www.comeplaydying.com  
bug found: 27.07.2006  
  
discovered by CR  
www.svt.nukleon.us  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
~! Details !~  
============================================================================================  
index.php  
^^^^^^^^^  
  
[code]  
....  
if (isset($HTTP_GET_VARS['styleid'])) {  
$styleid = $HTTP_GET_VARS['styleid'];  
$dbr->query("UPDATE {$dbr->p}user_options SET skin=$styleid WHERE userid=$userinfo[userid]");  
.....  
[/code]  
  
Variable $userinfo is not filtered on presence dangerous symbol, thank that, possible   
produce SQL injection  
  
  
[code]  
.....  
function loadskin($skinid)  
{  
GLOBAL $dbr,$data;  
  
$dbr->query("SELECT * FROM {$dbr->p}skins WHERE skinid=$skinid");  
.....  
[/code]  
  
Variable $skinid is not filtered on presence dangerous symbol, thank that, possible   
produce SQL injection  
============================================================================================  
article.php  
^^^^^^^^^^^  
  
[code]  
....  
if ($this->id != 0) {  
$a['breadcrumbs'] = '';  
$catid = $this->id;  
$c = 1;  
while ($c <= getsetting('max_crumb_depth')) {  
if ($catid == 0) break;  
$dbr->query("SELECT parentid,name,accesslvl_to_read,accesslvl_to_contribute,archive_mode FROM {$dbr->p}article_categories WHERE catid=$catid");  
$cat = $dbr->getarray();  
$crumb_array[] = array('id'=>$catid, 'name'=>stripslashes($cat['name']), 'accesslvl_to_read'=>$cat['accesslvl_to_read'], 'accesslvl_to_contribute'=>$cat['accesslvl_to_contribute']);  
$catid = $cat['parentid'];  
$c++;  
  
}  
....  
[/code]  
  
Variable $catid is not filtered on presence dangerous symbol, thank that, possible   
produce SQL injection  
  
  
[code]  
....  
foreach ($HTTP_POST_VARS['orders'] as $pageid=>$displayorder) {  
// Ensure, at this level, that user has admin, editor or author permission to do this.  
$pass = FALSE;  
if (isadmin() || iseditor()) $pass = TRUE;  
$articleid = $dbr->result("SELECT articleid FROM {$dbr->p}article_pages WHERE pageid=$pageid");  
$authorid = $dbr->result("SELECT userid FROM {$dbr->p}articles WHERE articleid=$articleid");  
if ($data->vars['user']['userid'] == $authorid) $pass = TRUE;  
if ($pass) $dbr->query("UPDATE {$dbr->p}article_pages SET displayorder=$displayorder WHERE pageid=$pageid");  
}  
....  
[/code]  
  
Variable $pageid, $articleid are not filtered on presence dangerous symbol, thank that,   
possible produce SQL injection  
  
  
============================================================================================  
blag.php  
^^^^^^^^^^^  
  
[code]  
.....  
if ($this->id != 0) {  
$userid = $dbr->result("SELECT userid FROM {$dbr->p}user_blogs WHERE blogid=$blogid");  
if (!isadmin() && $data->vars['user']['userid'] == $userid) {  
setstatus('access_denied');  
$this->id = $blogid;  
return $this->show();  
}  
}  
....  
[/code]  
  
Variable $blogid is not filtered on presence dangerous symbol, thank that, possible   
produce SQL injection  
  
  
[code]  
....  
$dbr->query("SELECT p.blogid, b.locked, b.allow_comments, b.isprivate, b.userid  
FROM {$dbr->p}user_blog_posts p  
LEFT JOIN {$dbr->p}user_blogs b ON b.blogid=p.blogid  
WHERE p.postid=$postid");  
....  
[/code]  
  
Variable $postid is not filtered on presence dangerous symbol, thank that, possible   
produce SQL injection  
  
  
============================================================================================  
example  
^^^^^^^^^^^  
http://www.example.com/index.php?m='  
http://www.example.com/index.php?m=member&id='  
http://www.example.com/index.php?m=article&id='  
http://www.example.com/index.php?m=article&op=read&id='  
http://www.example.com/index.php?m=blog&id='  
http://www.example.com/index.php?m=blog&op=getpost&id='  
  
============================================================================================  
CR [ www.svt.nukleon.us ] 2006 ã.  
`