No description provided by source.
Name Digital Scribe Vendor http://www.digital-scribe.org Versions Affected 1.4.1 Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2009-12-11 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX VI. DISCLOSURE TIMELINE I. ABOUT THE APPLICATION The Digital Scribe is a free, intuitive system designed to help teachers put student work and homework assignments online. II. DESCRIPTION This application is affected by many SQL Injection security flaws. In order to exploit they, the Magic Quotes GPG (php.ini) must be Off except one. I tested 1.4.1 version only, however other versions may be also vulnerable. III. ANALYSIS Summary: A) Multiple SQL Injection A) Multiple SQL Injection Multiple SQL Injection issues has been found in Digital Scribe version 1.4.1 and no authentication is required in order to exploit these vulnerabilities. The most issues required the Magic Quotes GPG setted to off except one (stuworkdisplay.php). For semplicity I reported only this last one vulnerable code. Vulnerable code: ........ $show = mysql_query("SELECT * FROM ".$conf['tbl']['projecttable']." WHERE(ID=$HTTP_GET_VARS[ID])"); ........ IV. SAMPLE CODE http://site/path/stuworkdisplay.php?ID=-1) UNION ALL SELECT version(),user(),3,4,5,6,7,8,9,10,11%23 V. FIX $id = intval($_GET['ID']); $show = mysql_query("SELECT * FROM ".$conf['tbl']['projecttable']." WHERE(ID=$id)"); VIII. DISCLOSURE TIMELINE 2009-12-11 Bug discovered 2009-12-11 Initial vendor contact 2009-12-11 Advisory Release