olatedownload-sql.txt

2007-08-24T00:00:00
ID PACKETSTORM:58786
Type packetstorm
Reporter imei addmimistrator
Modified 2007-08-24T00:00:00

Description

                                        
                                            `-Summary-  
Software: Olate Download  
Sowtwares Web Site: http://www.olate.co.uk/  
Versions: 3.4.2  
Class: Remote  
Status: Unpatched  
Exploit: Available  
Solution: Not Available  
Discovered by: imei addmimistrator  
Risk Level: Middel  
Description  
Olate download is prone to SQL injection in download.php file.  
Lack of programmers knowledge about HTTP headers and process of assigning value to predefined global arrays, resulted to this bug.With a shallow look, on line app. 118-127 youll understand that programmers trusted to headers HTTP_REFERER and HTTP_USER_AGENT, unaware that hackers can modify them for his abuse.  
code:119,download.php  
$dbim->query(INSERT INTO .DB_PREFIX.stats  
SET file_id = .$_REQUEST[file].,  
timestamp = .time().,  
ip = .$_SERVER[REMOTE_ADDR].,  
referrer = xx.$_SERVER[HTTP_REFERER].,  
user_agent = .$_SERVER[HTTP_USER_AGENT].);  
Exploit-  
headers:  
reffered: sql  
OR  
user agent: sql  
Solution  
Not any updates available~  
Credit  
Discovered by: imei addmimistrator  
addmimistrator(4}gmail(O}com  
www.myimei.com  
  
`