Bugtraq mailing list archives
Wfsection 1.07 vulnerabilities
From: kreon <kre0n () mail ru>
Date: Tue, 8 Mar 2005 22:05:54 +0300
Program: wfsections Verion: 1.07 Bug Type: SQL Injection Bug Discription: ================================= In file class/wfsfiles.php, we can see this function: //START function getAllbyArticle($articleid) { $db =& Database::getInstance(); $table = $db->prefix("wfs_files"); $ret = array(); $sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid.""; $result = $db->query($sql); while( $myrow = $db->fetchArray($result) ){ $ret[] = new WfsFiles($myrow); } return $ret; } //END Param $articleid inserts into sql-query without any checks, so we can make sql-injection. Example: http://[path]/[folder[/article.php?articleid=1[SQL Code[like OR 1=1]] Patch: replace string $sql = "SELECT * FROM ".$table." WHERE articleid=".$articleid.""; With string $sql = "SELECT * FROM ".$table." WHERE articleid=".intval($articleid).""; ================================= Contact: // irc: #adz @ irc.quakenet.org ADZ Security Team // http://adz.void.ru =================================
Current thread:
- Wfsection 1.07 vulnerabilities kreon (Mar 10)