[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [SVadvisory#13] - SQL injection in MYFAQ 1.0
From:       svt () svt ! nukleon ! us
Date:       2005-08-06 23:58:53
Message-ID: 20050806235853.4982.qmail () securityfocus ! com
[Download RAW message or body]

SVadvisory#13
*******************************
  title: SQL injection             
product: MYFAQ            
version: V1.0                  
   site: http://vpontier.free.fr/
*******************************
=====================================================================================
Vulnerability
==============

1) affichagefaq.php3 Code:
--------------------------
   <?php 
     ....
    
        $Requete = "SELECT LIBELLE FROM THEMES WHERE ID_THEME = $Theme";
        $Liste = mysql_db_query($Base,$Requete);
        $Ret = mysql_fetch_array($Liste);
     
     ....
    
        $Requete = "SELECT LIBELLE FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
        $Liste = mysql_db_query($Base,$Requete);
        $Ret = mysql_fetch_array($Liste);

     ....

        $Requete="SELECT * FROM SOLUTIONS WHERE ID_FAQ = $Question";
        $Liste = mysql_db_query($Base,$Requete);

   ?>

Variable $Theme, $SousTheme, $Question is not filtered on presence dangerous 
symbol that can bring about SQL injection.
=======================================================================================
 2) choixsoustheme.php3 code:
----------------------------
   <?php
     ....
     
        $Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme";
        $TitreTh = mysql_query($Requete,$Connect_MySql);
 
     ....
   ?>

In the same way in file choixsoustheme.php3, variable $Theme is not filtered 
on presence dangerous symbol that can bring about SQL injection
=======================================================================================
 3) consultation.php3 code:
--------------------------
   <?php 
     ....

        $Requete = "SELECT * FROM FAQ WHERE ID_THEME = $Theme AND ID_SOUSTHEME = \
$SousTheme ORDER BY DATECRE;";  $ListeFaq = mysql_db_query($Base,$Requete);

     ....

        $Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme;";
        $TitreTh = mysql_query($Requete,$Connect_MySql);

     ....

        $Requete = "SELECT * FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
        $TitreSTh = mysql_db_query($Base,$Requete);

     ....
    ?>

Variable $Theme, $SousTheme are not filtered on presence dangerous symbol, 
From - for this appears criticality SQL injection
=======================================================================================
 4) inssolution.php3 code:
-------------------------
     <?php 
       ....
       
           $Requete = "SELECT * FROM FAQ WHERE ID_FAQ = $Faq";
           $ResIns = mysql_db_query($Base,$Requete); 
       
       ....
     ?>

Variable $Faq is not filtered on presence dangerous symbol that brings 
about criticality SQL injection 

=======================================================================================
 In the same way in following file variable $Theme, $SousTheme and $Faq are not 
filtered on presence dangerous symbol:

  $Theme                   $SousTheme             $Faq
  ------------------      ------------------      ------------------
  insfaq.php3             insfaq.php3             saisiefaq.php3
  inssoustheme.php3       inssoustheme.php3       voirfaq.php3
  instheme.php3           saisiefaq.php3
  saisiefaqtotale.php3    saisiefaqtotale.php3
  saisiesoustheme.php3    voirfaq.php3
  voirfaq.php3
=======================================================================================
 More new versions does not contain these criticality
=======================================================================================
 Bug found
=========

CENSORED ~ Search Vulnerabilities Team ~ http://svt.nukleon.us


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic