Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:9407
HistoryAug 09, 2005 - 12:00 a.m.

[SVadvisory#13] - SQL injection in MYFAQ 1.0

2005-08-0900:00:00
vulners.com
11
JSON

SVadvisory#13

title: SQL injection
product: MYFAQ
version: V1.0
site: http://vpontier.free.fr/

=====================================================================================
Vulnerability

1) affichagefaq.php3 Code:

<?php

    $Requete = &quot;SELECT LIBELLE FROM THEMES WHERE ID_THEME = $Theme&quot;;
    $Liste = mysql_db_query&#40;$Base,$Requete&#41;;
    $Ret = mysql_fetch_array&#40;$Liste&#41;;
 
 ....

    $Requete = &quot;SELECT LIBELLE FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme&quot;;
    $Liste = mysql_db_query&#40;$Base,$Requete&#41;;
    $Ret = mysql_fetch_array&#40;$Liste&#41;;

 ....

    $Requete=&quot;SELECT * FROM SOLUTIONS WHERE ID_FAQ = $Question&quot;;
    $Liste = mysql_db_query&#40;$Base,$Requete&#41;;

?>

Variable $Theme, $SousTheme, $Question is not filtered on presence dangerous
symbol that can bring about SQL injection.

2) choixsoustheme.php3 code:

<?php

    $Requete = &quot;SELECT * FROM THEMES WHERE ID_THEME = $Theme&quot;;
    $TitreTh = mysql_query&#40;$Requete,$Connect_MySql&#41;;

 ....

?>

In the same way in file choixsoustheme.php3, variable $Theme is not filtered
on presence dangerous symbol that can bring about SQL injection

3) consultation.php3 code:

<?php

    $Requete = &quot;SELECT * FROM FAQ WHERE ID_THEME = $Theme AND ID_SOUSTHEME = $SousTheme ORDER BY

DATECRE;";
$ListeFaq = mysql_db_query($Base,$Requete);

 ....

    $Requete = &quot;SELECT * FROM THEMES WHERE ID_THEME = $Theme;&quot;;
    $TitreTh = mysql_query&#40;$Requete,$Connect_MySql&#41;;

 ....

    $Requete = &quot;SELECT * FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme&quot;;
    $TitreSTh = mysql_db_query&#40;$Base,$Requete&#41;;

 ....
?&gt;

Variable $Theme, $SousTheme are not filtered on presence dangerous symbol,
>From - for this appears criticality SQL injection

4) inssolution.php3 code:

 &lt;?php 
   ....
   
       $Requete = &quot;SELECT * FROM FAQ WHERE ID_FAQ = $Faq&quot;;
       $ResIns = mysql_db_query&#40;$Base,$Requete&#41;; 
   
   ....
 ?&gt;

Variable $Faq is not filtered on presence dangerous symbol that brings
about criticality SQL injection

=======================================================================================
In the same way in following file variable $Theme, $SousTheme and $Faq are not
filtered on presence dangerous symbol:

$Theme $SousTheme $Faq

insfaq.php3 insfaq.php3 saisiefaq.php3
inssoustheme.php3 inssoustheme.php3 voirfaq.php3
instheme.php3 saisiefaq.php3
saisiefaqtotale.php3 saisiefaqtotale.php3
saisiesoustheme.php3 voirfaq.php3
voirfaq.php3

More new versions does not contain these criticality

Bug found

CENSORED ~ Search Vulnerabilities Team ~ http://svt.nukleon.us

JSON