addalink <= 4 Write Approved Links Remote Vulnerability

{"type": "zdt", "lastseen": "2016-04-20T01:33:09", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "addalink <= 4 Write Approved Links Remote Vulnerability", "published": "2008-09-17T00:00:00", "href": "http://0day.today/exploit/description/3685", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for unknown platform in category web applications", "hash": "9f78b94a534b00b108bb451c16910bf72dfdfbd2e14fcf005ecf3941e7f90adf", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "=======================================================\r\naddalink <= 4 Write Approved Links Remote Vulnerability\r\n=======================================================\r\n\r\n\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\naddalink <= 4 - beta / Write approved links without a previous moderation by the admin\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n\r\n$ Program: addalink\r\n$ Version: <= 4 - beta\r\n$ File affected: add_link.php\r\n$ Download: http://sourceforge.net/projects/addalink/\r\n\r\n\r\nLinklist is a miniwebsite that you can use in your webpage. Basically it \r\nmanages a database of links using PHP+MySQL. Users can send links (url, \r\ndescription, etc) by a form and one admin has to approve or delete the \r\nlinks before the publication in the website.\r\n\r\nOne not very important problem is that add_link.php doesn't test the \r\nmethod used (GET or POST). But the real problem is the method to insert \r\nsome values. \r\n\r\nReading the code you can see the SQL sentence:\r\n\r\nINSERT INTO $linktable VALUES('0','$url','$linkname','$approved=0','$email',\r\n '$counter=0','$description','$ip','$date','$category_id','0')\";\r\n\r\nIt asign values to approved and counter directly in the SQL sentence. For that,\r\nyou can enter links approved without moderation writing this:\r\n\r\nhttp://domain/add_link.php?url=http://www.domain.com&linkname=name_of_the_link\r\n&approved=1&email=my@email.com&description=blablablablablablabla&category_id=1\r\n\r\nAlso you can alter the counter of visits if you add &counter=XXXX to the GET\r\n\r\n\r\n-= Solution =-\r\n\r\n\r\n$approved = 0;\r\n$counter = 0;\r\n\r\nINSERT INTO $linktable VALUES('0','$url','$linkname','$approved','$email',\r\n '$counter','$description','$ip','$date','$category_id','0')\";\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-3685", "sourceHref": "http://0day.today/exploit/3685", "modified": "2008-09-17T00:00:00", "reporter": "Pepelux", "enchantments": {"vulnersScore": 6.4}}