SVadvisory#13
title: SQL injection
product: MYFAQ
version: V1.0
site: http://vpontier.free.fr/
<?php
…
$Requete = "SELECT LIBELLE FROM THEMES WHERE ID_THEME = $Theme";
$Liste = mysql_db_query($Base,$Requete);
$Ret = mysql_fetch_array($Liste);
....
$Requete = "SELECT LIBELLE FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
$Liste = mysql_db_query($Base,$Requete);
$Ret = mysql_fetch_array($Liste);
....
$Requete="SELECT * FROM SOLUTIONS WHERE ID_FAQ = $Question";
$Liste = mysql_db_query($Base,$Requete);
?>
<?php
…
$Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme";
$TitreTh = mysql_query($Requete,$Connect_MySql);
....
?>
<?php
…
$Requete = "SELECT * FROM FAQ WHERE ID_THEME = $Theme AND ID_SOUSTHEME = $SousTheme ORDER BY
DATECRE;";
$ListeFaq = mysql_db_query($Base,$Requete);
....
$Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme;";
$TitreTh = mysql_query($Requete,$Connect_MySql);
....
$Requete = "SELECT * FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
$TitreSTh = mysql_db_query($Base,$Requete);
....
?>
<?php
....
$Requete = "SELECT * FROM FAQ WHERE ID_FAQ = $Faq";
$ResIns = mysql_db_query($Base,$Requete);
....
?>
Variable $Faq is not filtered on presence dangerous symbol that brings
about criticality SQL injection
=======================================================================================
In the same way in following file variable $Theme, $SousTheme and $Faq are not
filtered on presence dangerous symbol:
$Theme $SousTheme $Faq
CENSORED ~ Search Vulnerabilities Team ~ http://svt.nukleon.us