|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[SVadvisory#13] - SQL injection in MYFAQ 1.0
svt
svt.nukleon.us
Date: Sat Aug 06 2005 - 18:58:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
SVadvisory#13
*******************************
title: SQL injection
product: MYFAQ
version: V1.0
site: http://vpontier.free.fr/
*******************************
=====================================================================================
Vulnerability
==============
1) affichagefaq.php3 Code:
--------------------------
<?php
....
$Requete = "SELECT LIBELLE FROM THEMES WHERE ID_THEME = $Theme";
$Liste = mysql_db_query($Base,$Requete);
$Ret = mysql_fetch_array($Liste);
....
$Requete = "SELECT LIBELLE FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
$Liste = mysql_db_query($Base,$Requete);
$Ret = mysql_fetch_array($Liste);
....
$Requete="SELECT * FROM SOLUTIONS WHERE ID_FAQ = $Question";
$Liste = mysql_db_query($Base,$Requete);
?>
Variable $Theme, $SousTheme, $Question is not filtered on presence dangerous
symbol that can bring about SQL injection.
=======================================================================================
2) choixsoustheme.php3 code:
----------------------------
<?php
....
$Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme";
$TitreTh = mysql_query($Requete,$Connect_MySql);
....
?>
In the same way in file choixsoustheme.php3, variable $Theme is not filtered
on presence dangerous symbol that can bring about SQL injection
=======================================================================================
3) consultation.php3 code:
--------------------------
<?php
....
$Requete = "SELECT * FROM FAQ WHERE ID_THEME = $Theme AND ID_SOUSTHEME = $SousTheme ORDER BY DATECRE;";
$ListeFaq = mysql_db_query($Base,$Requete);
....
$Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme;";
$TitreTh = mysql_query($Requete,$Connect_MySql);
....
$Requete = "SELECT * FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
$TitreSTh = mysql_db_query($Base,$Requete);
....
?>
Variable $Theme, $SousTheme are not filtered on presence dangerous symbol,
From - for this appears criticality SQL injection
=======================================================================================
4) inssolution.php3 code:
-------------------------
<?php
....
$Requete = "SELECT * FROM FAQ WHERE ID_FAQ = $Faq";
$ResIns = mysql_db_query($Base,$Requete);
....
?>
Variable $Faq is not filtered on presence dangerous symbol that brings
about criticality SQL injection
=======================================================================================
In the same way in following file variable $Theme, $SousTheme and $Faq are not
filtered on presence dangerous symbol:
$Theme $SousTheme $Faq
------------------ ------------------ ------------------
insfaq.php3 insfaq.php3 saisiefaq.php3
inssoustheme.php3 inssoustheme.php3 voirfaq.php3
instheme.php3 saisiefaq.php3
saisiefaqtotale.php3 saisiefaqtotale.php3
saisiesoustheme.php3 voirfaq.php3
voirfaq.php3
=======================================================================================
More new versions does not contain these criticality
=======================================================================================
Bug found
=========
CENSORED ~ Search Vulnerabilities Team ~ http://svt.nukleon.us
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]