Digital Scribe 1.4.1 SQL Injection

`Digital Scribe 1.4.1 Multiple SQL Injection Vulnerabilities  
  
Name Digital Scribe  
Vendor http://www.digital-scribe.org  
Versions Affected 1.4.1  
  
Author Salvatore Fresta aka Drosophila  
Website http://www.salvatorefresta.net  
Contact salvatorefresta [at] gmail [dot] com  
Date 2009-12-11  
  
X. INDEX  
  
I. ABOUT THE APPLICATION  
II. DESCRIPTION  
III. ANALYSIS  
IV. SAMPLE CODE  
V. FIX  
VI. DISCLOSURE TIMELINE  
  
  
I. ABOUT THE APPLICATION  
  
The Digital Scribe is a free, intuitive system designed to  
help teachers put student work and homework assignments  
online.  
  
  
II. DESCRIPTION  
  
This application is affected by many SQL Injection  
security flaws. In order to exploit they, the Magic Quotes  
GPG (php.ini) must be Off except one.  
I tested 1.4.1 version only, however other versions may be  
also vulnerable.  
  
  
III. ANALYSIS  
  
Summary:  
  
A) Multiple SQL Injection  
  
A) Multiple SQL Injection  
  
Multiple SQL Injection issues has been found in Digital  
Scribe version 1.4.1 and no authentication is required  
in order to exploit these vulnerabilities.  
The most issues required the Magic Quotes GPG setted to  
off except one (stuworkdisplay.php).  
For semplicity I reported only this last one vulnerable  
code.  
  
Vulnerable code:  
  
........  
  
$show = mysql_query("SELECT * FROM ".$conf['tbl']['projecttable']."  
WHERE(ID=$HTTP_GET_VARS[ID])");  
  
........  
  
  
IV. SAMPLE CODE  
  
http://site/path/stuworkdisplay.php?ID=-1) UNION ALL SELECT  
version(),user(),3,4,5,6,7,8,9,10,11%23  
  
  
V. FIX  
  
$id = intval($_GET['ID']);  
$show = mysql_query("SELECT * FROM ".$conf['tbl']['projecttable']."  
WHERE(ID=$id)");  
  
  
VIII. DISCLOSURE TIMELINE  
  
2009-12-11 Bug discovered  
2009-12-11 Initial vendor contact  
2009-12-11 Advisory Release  
`