Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

WWWThread RC 3 MultBugs

From: o.y.6 () hotmail com
Date: 19 Apr 2006 19:01:08 -0000
[code]// --- WWWThread RC 3 MultBugs --- //

        * D3vil-0x1 | Devil-00
    * www.securitygurus.net
    * Gr33tz
        - HACKERS PAL | n0m3rcy | -

                &
                                All Others << i forgot them :))

//---------------------------------//

//---------------------------------// [ Bug 1 ] //---------------------------------//

// File name :- register.php
// Bug :- Remote [ _COKKIE['forumreferrer] ] SQL Injection

/* Code
        //
if(isset($_COOKIE["forumreferrer"]))
        {
                $referral_id = $_COOKIE["forumreferrer"];
                $result = $db->query('SELECT referral_count FROM '.$db->prefix.'users WHERE id='.$referral_id)          
  or error(mysql_error(), __FILE__, __LINE__, $db->error());
                list($referral_val) = $db->fetch_row($result);
                $rval = $referral_val[0] + 1;
                $db->query('UPDATE '.$db->prefix.'users SET referral_count='. $rval . ' WHERE id='.$                    
          referral_id) or error(mysql_error(), __FILE__, __LINE__, $db->error());
        }
    //
*/

Fix :-

/*
$referral_id = intval($_COOKIE["forumreferrer"]);
*/


//---------------------------------// //---------------------------------// //---------------------------------// 
//---------------------------------// //---------------------------------// //---------------------------------// 
//---------------------------------// //---------------------------------//

//---------------------------------//  [ Bug 2 ] //---------------------------------//

// File name :- message_list.php
// Bug :- Remote SQL Injection

/* Code

if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) )
{
        if( isset($_POST['delete_messages_comply']) )
        {
                confirm_referrer('message_list.php');
                $db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.$_POST['messages'].') AND owner=          
        \''.$forum_user['id'].'\'') or error(mysql_error(), __FILE__, __LINE__, $db->error());
                redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']);
        }

*/

// Fix :-

Replace with this code :D

if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) )
{
        if( isset($_POST['delete_messages_comply']) )
        {
                confirm_referrer('message_list.php');
                $db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.intval($_POST['messages']).') AND owner=  
                \''.$forum_user['id'].'\'') or error(mysql_error(), __FILE__, __LINE__, $db->error());
                redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']);
        }

// Exploit

- Resend This Requsit By HTTPLiveHeaders :D -

messages=[SQL]&box=0&delete_messages_comply=Delete
[/code]
Previous By Date Next
Previous By Thread Next

Current thread: