//*==========================================*//
\\ GHC -> Subdreamer <- ADVISORY
// Product: Subdreamer
\\ Version: Subdreamer Light
// URL: www.subdreamer.com
\\ VULNERABILITY CLASS:  SQL injection
//*==========================================*//

[Product Description]
"Powered by PHP and MySQL, Subdreamer provides the ability to create dynamic websites while giving full control over every section of the site. 
A powerful content management system with an amazing skin engine which provides users with unique and cool looking skins!" (from homepage).    
Subdreamer is non-free CMS. 
Freeware version - Subdreamer Light - avaliable for download.

[Summary]
 Unsufficient filtration of user input data can lead to SQL injection  vulnerability .

[Details]
In case if magic_quotes_gpc=0, some global arrays drive through 
addslashes() function.

--[script includes/core.php]--
if(!get_magic_quotes_gpc())  // add slashes if gpc is off
{
  $_POST   = AddSlashesArray($_POST);
  $_GET    = AddSlashesArray($_GET);
  $_COOKIE = AddSlashesArray($_COOKIE);
--[/script includes/core.php]--

But in script's functions variables are defined as "global", not from global POST or GET arrays. 
This can lead to avoid filtration with addslashes() if register_global=1. 

--[script includes/core.php]--
if(function_exists('ini_get'))
{
  $globalsoption = ini_get('register_globals');
}
else
{
  $globalsoption = get_cfg_var('register_globals');
}
if($globalsoption != 1)
{
  @extract($HTTP_SERVER_VARS,  EXTR_SKIP);
  @extract($HTTP_COOKIE_VARS,  EXTR_SKIP);
  @extract($HTTP_POST_FILES,   EXTR_SKIP);
  @extract($HTTP_POST_VARS,    EXTR_SKIP);
  @extract($HTTP_GET_VARS,     EXTR_SKIP);
  @extract($HTTP_ENV_VARS,     EXTR_SKIP);
  @extract($HTTP_SESSION_VARS, EXTR_SKIP);
}
--[/script includes/core.php]--

In this case an attacker can make SQL injection assault through some variables which are defined as global in functions.

EXAMPLE
+--------------+
|SQL injection |
+--------------+
Vulnerable script: plugins/p17_image_gallery/imagegallery.php   

--[code]-- 
function p17_DisplayImages($sectionid, $start)
{
  global $DB;
  global $categoryid;
  global $p17_imageid;
 [...]
 if(isset($p17_imageid))
 {
 $image = $DB->query_first("SELECT * FROM p17_images WHERE imageid = '$p17_imageid'");
 [...]
 <td style="padding-top: 20px;" align="center"><img src="plugins/p17_image_gallery/images/'.$image['filename'].'" /></td>
--[/code]--

[Exploit]
http://subdreamer/index.php?categoryid=3&p17_sectionid=1&p17_imageid=[SQL code]
  

/* ================================================== */
/* www.ghc.ru -- security games & challenges          */
/* ================================================== */
/* greets to: 1dt.w0lf & RST.void.ru                  */
/* and e-defense group.                               */
/* ================================================== */