Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: 6 Aug 2005 23:58:53 -0000
From: [email protected]
To: [email protected]
Subject: [SVadvisory#13] - SQL injection in MYFAQ 1.0
X-Virus-Scanned: antivirus-gw at tyumen.ru

SVadvisory#13
*******************************
  title: SQL injection             
product: MYFAQ            
version: V1.0                  
   site: http://vpontier.free.fr/
*******************************

Vulnerability
==============

1) affichagefaq.php3 Code:
   <?php 
     ....
    
        $Requete = "SELECT LIBELLE FROM THEMES WHERE ID_THEME = $Theme";
        $Liste = mysql_db_query($Base,$Requete);
        $Ret = mysql_fetch_array($Liste);
     
     ....
    
        $Requete = "SELECT LIBELLE FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
        $Liste = mysql_db_query($Base,$Requete);
        $Ret = mysql_fetch_array($Liste);

     ....

        $Requete="SELECT * FROM SOLUTIONS WHERE ID_FAQ = $Question";
        $Liste = mysql_db_query($Base,$Requete);

   ?>

Variable $Theme, $SousTheme, $Question is not filtered on presence dangerous 
symbol that can bring about SQL injection.

2) choixsoustheme.php3 code:
   <?php
     ....
     
        $Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme";
        $TitreTh = mysql_query($Requete,$Connect_MySql);
 
     ....
   ?>

In the same way in file choixsoustheme.php3, variable $Theme is not filtered 
on presence dangerous symbol that can bring about SQL injection

3) consultation.php3 code:
   <?php 
     ....

        $Requete = "SELECT * FROM FAQ WHERE ID_THEME = $Theme AND ID_SOUSTHEME = $SousTheme ORDER BY DATECRE;";
        $ListeFaq = mysql_db_query($Base,$Requete);

     ....

        $Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme;";
        $TitreTh = mysql_query($Requete,$Connect_MySql);

     ....

        $Requete = "SELECT * FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
        $TitreSTh = mysql_db_query($Base,$Requete);

     ....
    ?>

Variable $Theme, $SousTheme are not filtered on presence dangerous symbol, 
>From - for this appears criticality SQL injection

4) inssolution.php3 code:
     <?php 
       ....
       
           $Requete = "SELECT * FROM FAQ WHERE ID_FAQ = $Faq";
           $ResIns = mysql_db_query($Base,$Requete); 
       
       
       ....
     ?>

Variable $Faq is not filtered on presence dangerous symbol that brings 
about criticality SQL injection 


In the same way in following file variable $Theme, $SousTheme and $Faq are not 
filtered on presence dangerous symbol:

  $Theme                   $SousTheme             $Faq
  ------------------      ------------------      ------------------
  insfaq.php3             insfaq.php3             saisiefaq.php3
  inssoustheme.php3       inssoustheme.php3       voirfaq.php3
  instheme.php3           saisiefaq.php3
  saisiefaqtotale.php3    saisiefaqtotale.php3
  saisiesoustheme.php3    voirfaq.php3
  voirfaq.php3

More new versions does not contain these criticality

Bug found
=========

CENSORED ~ Search Vulnerabilities Team ~ http://svt.nukleon.us

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: