`CR Advisory#1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
programm: Seir Anphin v666 Community Management System
bug: SQL injection
home page: www.comeplaydying.com
bug found: 27.07.2006
discovered by CR
www.svt.nukleon.us
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~! Details !~
============================================================================================
index.php
^^^^^^^^^
[code]
....
if (isset($HTTP_GET_VARS['styleid'])) {
$styleid = $HTTP_GET_VARS['styleid'];
$dbr->query("UPDATE {$dbr->p}user_options SET skin=$styleid WHERE userid=$userinfo[userid]");
.....
[/code]
Variable $userinfo is not filtered on presence dangerous symbol, thank that, possible
produce SQL injection
[code]
.....
function loadskin($skinid)
{
GLOBAL $dbr,$data;
$dbr->query("SELECT * FROM {$dbr->p}skins WHERE skinid=$skinid");
.....
[/code]
Variable $skinid is not filtered on presence dangerous symbol, thank that, possible
produce SQL injection
============================================================================================
article.php
^^^^^^^^^^^
[code]
....
if ($this->id != 0) {
$a['breadcrumbs'] = '';
$catid = $this->id;
$c = 1;
while ($c <= getsetting('max_crumb_depth')) {
if ($catid == 0) break;
$dbr->query("SELECT parentid,name,accesslvl_to_read,accesslvl_to_contribute,archive_mode FROM {$dbr->p}article_categories WHERE catid=$catid");
$cat = $dbr->getarray();
$crumb_array[] = array('id'=>$catid, 'name'=>stripslashes($cat['name']), 'accesslvl_to_read'=>$cat['accesslvl_to_read'], 'accesslvl_to_contribute'=>$cat['accesslvl_to_contribute']);
$catid = $cat['parentid'];
$c++;
}
....
[/code]
Variable $catid is not filtered on presence dangerous symbol, thank that, possible
produce SQL injection
[code]
....
foreach ($HTTP_POST_VARS['orders'] as $pageid=>$displayorder) {
// Ensure, at this level, that user has admin, editor or author permission to do this.
$pass = FALSE;
if (isadmin() || iseditor()) $pass = TRUE;
$articleid = $dbr->result("SELECT articleid FROM {$dbr->p}article_pages WHERE pageid=$pageid");
$authorid = $dbr->result("SELECT userid FROM {$dbr->p}articles WHERE articleid=$articleid");
if ($data->vars['user']['userid'] == $authorid) $pass = TRUE;
if ($pass) $dbr->query("UPDATE {$dbr->p}article_pages SET displayorder=$displayorder WHERE pageid=$pageid");
}
....
[/code]
Variable $pageid, $articleid are not filtered on presence dangerous symbol, thank that,
possible produce SQL injection
============================================================================================
blag.php
^^^^^^^^^^^
[code]
.....
if ($this->id != 0) {
$userid = $dbr->result("SELECT userid FROM {$dbr->p}user_blogs WHERE blogid=$blogid");
if (!isadmin() && $data->vars['user']['userid'] == $userid) {
setstatus('access_denied');
$this->id = $blogid;
return $this->show();
}
}
....
[/code]
Variable $blogid is not filtered on presence dangerous symbol, thank that, possible
produce SQL injection
[code]
....
$dbr->query("SELECT p.blogid, b.locked, b.allow_comments, b.isprivate, b.userid
FROM {$dbr->p}user_blog_posts p
LEFT JOIN {$dbr->p}user_blogs b ON b.blogid=p.blogid
WHERE p.postid=$postid");
....
[/code]
Variable $postid is not filtered on presence dangerous symbol, thank that, possible
produce SQL injection
============================================================================================
example
^^^^^^^^^^^
http://www.example.com/index.php?m='
http://www.example.com/index.php?m=member&id='
http://www.example.com/index.php?m=article&id='
http://www.example.com/index.php?m=article&op=read&id='
http://www.example.com/index.php?m=blog&id='
http://www.example.com/index.php?m=blog&op=getpost&id='
============================================================================================
CR [ www.svt.nukleon.us ] 2006 ã.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation