Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Tue, 12 Nov 2002 05:55:49 -0500
From: [email protected]
To: [email protected], [email protected]
Subject: WebChat for XOOPS RC3 SQL INJECTION

Text available at http://www.phpsecure.org/tutos/webchat.1-5.xoops.rc3.sql.injection.txt
Patch available on phpsecure.org


XOOPS RC3 WebChat Module SQL Injection

Tested with :   Xoops RC3
        WebChat 1-5
Author :    val2 - phpsecure.org for more info and ~patchs~


Lines 291-299 from modules/WebChat/index.php :

    if(isset($roomid)) {
      if($xoopsUser) {
        $wcusername = $xoopsUser->getVar("uname", "E");
        $uid = $xoopsUser->getVar("uid", "E");
      }
      join_room($roomid,$pass,$wcusername,$uid); /* <- calling joinroom function with param $roomid */
    } else {
      disp_index($errmsg);
    }

Lines 204-208 :
    function join_room($roomid,$pass,$username,$uid) {
      global $xoopsDB, $xoopsUser, $xoopsConfig, $ModName, $user, $sitename, $pnconfig, $language, $usertime;
      unset($errmsg);
      $sql = "SELECT rid, name, typ, pass, descript FROM ".$xoopsDB->prefix("chatroom")." WHERE rid = $roomid";
      $row = mysql_fetch_array(mysql_query($sql));
        [...]


PROBLEM :
    $roomid id is included whitout verification.

PATCH :
    add this line a the beginning of index.php or download PATCH from phpsecure.org :
    $roomid = addslashes($roomid);
    If you're paranoiac, shutdown your box and wait for an official release ;)

EXPLOIT :
    You're a PHP/SQL g00r00, you don't need an exploit :p


MORE PATCHS !
    www.phpsecure.org

MORE HOLES !
    www.phpsecure.org

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: