CR Advisory#1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
programm: Seir Anphin v666 Community Management System
bug: SQL injection
home page: www.comeplaydying.com
bug found: 27.07.2006
discovered by CR
www.svt.nukleon.us
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~! Details !~
============================================================================================
index.php
^^^^^^^^^
[code]
....
if (isset($HTTP_GET_VARS['styleid'])) {
$styleid = $HTTP_GET_VARS['styleid'];
$dbr->query("UPDATE {$dbr->p}user_options SET skin=$styleid WHERE
userid=$userinfo[userid]");
.....
[/code]
Variable $userinfo is not filtered on presence dangerous symbol, thank that,
possible
produce SQL injection
[code]
.....
function loadskin($skinid)
{
GLOBAL $dbr,$data;
$dbr->query("SELECT * FROM {$dbr->p}skins WHERE skinid=$skinid");
.....
[/code]
Variable $skinid is not filtered on presence dangerous symbol, thank that,
possible
produce SQL injection
============================================================================================
article.php
^^^^^^^^^^^
[code]
....
if ($this->id != 0) {
$a['breadcrumbs'] = '';
$catid = $this->id;
$c = 1;
while ($c <= getsetting('max_crumb_depth')) {
if ($catid == 0) break;
$dbr->query("SELECT
parentid,name,accesslvl_to_read,accesslvl_to_contribute,archive_mode FROM
{$dbr->p}article_categories WHERE catid=$catid");
$cat = $dbr->getarray();
$crumb_array[] = array('id'=>$catid,
'name'=>stripslashes($cat['name']),
'accesslvl_to_read'=>$cat['accesslvl_to_read'],
'accesslvl_to_contribute'=>$cat['accesslvl_to_contribute']);
$catid = $cat['parentid'];
$c++;
}
....
[/code]
Variable $catid is not filtered on presence dangerous symbol, thank that,
possible
produce SQL injection
[code]
....
foreach ($HTTP_POST_VARS['orders'] as $pageid=>$displayorder) {
// Ensure, at this level, that user has admin, editor
or author permission to do this.
$pass = FALSE;
if (isadmin() || iseditor()) $pass = TRUE;
$articleid = $dbr->result("SELECT articleid FROM
{$dbr->p}article_pages WHERE pageid=$pageid");
$authorid = $dbr->result("SELECT userid FROM
{$dbr->p}articles WHERE articleid=$articleid");
if ($data->vars['user']['userid'] == $authorid) $pass =
TRUE;
if ($pass) $dbr->query("UPDATE {$dbr->p}article_pages
SET displayorder=$displayorder WHERE pageid=$pageid");
}
....
[/code]
Variable $pageid, $articleid are not filtered on presence dangerous symbol,
thank that,
possible produce SQL injection
============================================================================================
blag.php
^^^^^^^^^^^
[code]
.....
if ($this->id != 0) {
$userid = $dbr->result("SELECT userid FROM {$dbr->p}user_blogs WHERE
blogid=$blogid");
if (!isadmin() && $data->vars['user']['userid'] == $userid) {
setstatus('access_denied');
$this->id = $blogid;
return $this->show();
}
}
....
[/code]
Variable $blogid is not filtered on presence dangerous symbol, thank that,
possible
produce SQL injection
[code]
....
$dbr->query("SELECT p.blogid, b.locked, b.allow_comments, b.isprivate, b.userid
FROM {$dbr->p}user_blog_posts p
LEFT JOIN {$dbr->p}user_blogs b ON b.blogid=p.blogid
WHERE p.postid=$postid");
....
[/code]
Variable $postid is not filtered on presence dangerous symbol, thank that,
possible
produce SQL injection
============================================================================================
example
^^^^^^^^^^^
http://www.example.com/index.php?m='
http://www.example.com/index.php?m=member&id='
http://www.example.com/index.php?m=article&id='
http://www.example.com/index.php?m=article&op=read&id='
http://www.example.com/index.php?m=blog&id='
http://www.example.com/index.php?m=blog&op=getpost&id='
============================================================================================
CR [ www.svt.nukleon.us ] 2006 ã.
