Sorry, oss-sec link: http://seclists.org/oss-sec/2014/q1/532
On Sat, Mar 8, 2014 at 11:24 AM, Brandon Perry <[email protected]>wrote: > The author of the email to the oss-sec says he isn't sure if the linked > commit fixes the issue and it should. > > You can exploit this possibly using a blind time or boolean sqli. This is > me just playing around after doing some code analysis. Possibly other > connectors are affected? No idea about whether authentication will be > needed for all vectors, but in my cursory testing it needed at least a > PHPSESSID cookie (maybe just get first index to get anon PHPSESSID, who > knows). > > [2014-03-08 11:03:33] (ERROR @ /modx/connectors/lang.js.php) Error 42000 > executing statement: > Array > ( > [0] => 42000 > [1] => 1064 > [2] => You have an error in your SQL syntax; check the manual that > corresponds to your MySQL server version for the right syntax to use near > '1=1' at line 1 > ) > > [2014-03-08 11:03:33] (ERROR @ /modx/connectors/lang.js.php) Could not > prepare context: mgr 1=1 > [2014-03-08 11:03:44] (ERROR @ /modx/connectors/lang.js.php) Error 42S22 > executing statement: > Array > ( > [0] => 42S22 > [1] => 1054 > [2] => Unknown column 'mgr' in 'where clause' > ) > > [2014-03-08 11:03:44] (ERROR @ /modx/connectors/lang.js.php) Could not > prepare context: mgr and 1=1 > [2014-03-08 11:03:54] (ERROR @ /modx/connectors/lang.js.php) Error 42S22 > executing statement: > Array > ( > [0] => 42S22 > [1] => 1054 > [2] => Unknown column 'mgr' in 'where clause' > ) > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
