Wfsection 1.07 vulnerabilities

2005-03-11T00:00:00
ID SECURITYVULNS:DOC:8038
Type securityvulns
Reporter Securityvulns
Modified 2005-03-11T00:00:00

Description

Program: wfsections Verion: 1.07 Bug Type: SQL Injection Bug Discription: ================================= In file class/wfsfiles.php, we can see this function: //START function getAllbyArticle($articleid) { $db =& Database::getInstance(); $table = $db->prefix("wfs_files"); $ret = array(); $sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid.""; $result = $db->query($sql); while( $myrow = $db->fetchArray($result) ){ $ret[] = new WfsFiles($myrow); } return $ret; } //END Param $articleid inserts into sql-query without any checks, so we can make sql-injection. Example: http://[path]/[folder[/article.php?articleid=1[SQL Code[like OR 1=1]] Patch: replace string $sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid.""; With string $sql = "SELECT * FROM ".$table." WHERE articleid=".intval($articleid).""; ================================= Contact: // irc: #adz @ irc.quakenet.org ADZ Security Team // http://adz.void.ru =================================