[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [SVadvisory#13] - SQL injection in MYFAQ 1.0
From: svt () svt ! nukleon ! us
Date: 2005-08-06 23:58:53
Message-ID: 20050806235853.4982.qmail () securityfocus ! com
[Download RAW message or body]
SVadvisory#13
*******************************
title: SQL injection
product: MYFAQ
version: V1.0
site: http://vpontier.free.fr/
*******************************
=====================================================================================
Vulnerability
==============
1) affichagefaq.php3 Code:
--------------------------
<?php
....
$Requete = "SELECT LIBELLE FROM THEMES WHERE ID_THEME = $Theme";
$Liste = mysql_db_query($Base,$Requete);
$Ret = mysql_fetch_array($Liste);
....
$Requete = "SELECT LIBELLE FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
$Liste = mysql_db_query($Base,$Requete);
$Ret = mysql_fetch_array($Liste);
....
$Requete="SELECT * FROM SOLUTIONS WHERE ID_FAQ = $Question";
$Liste = mysql_db_query($Base,$Requete);
?>
Variable $Theme, $SousTheme, $Question is not filtered on presence dangerous
symbol that can bring about SQL injection.
=======================================================================================
2) choixsoustheme.php3 code:
----------------------------
<?php
....
$Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme";
$TitreTh = mysql_query($Requete,$Connect_MySql);
....
?>
In the same way in file choixsoustheme.php3, variable $Theme is not filtered
on presence dangerous symbol that can bring about SQL injection
=======================================================================================
3) consultation.php3 code:
--------------------------
<?php
....
$Requete = "SELECT * FROM FAQ WHERE ID_THEME = $Theme AND ID_SOUSTHEME = \
$SousTheme ORDER BY DATECRE;"; $ListeFaq = mysql_db_query($Base,$Requete);
....
$Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme;";
$TitreTh = mysql_query($Requete,$Connect_MySql);
....
$Requete = "SELECT * FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
$TitreSTh = mysql_db_query($Base,$Requete);
....
?>
Variable $Theme, $SousTheme are not filtered on presence dangerous symbol,
From - for this appears criticality SQL injection
=======================================================================================
4) inssolution.php3 code:
-------------------------
<?php
....
$Requete = "SELECT * FROM FAQ WHERE ID_FAQ = $Faq";
$ResIns = mysql_db_query($Base,$Requete);
....
?>
Variable $Faq is not filtered on presence dangerous symbol that brings
about criticality SQL injection
=======================================================================================
In the same way in following file variable $Theme, $SousTheme and $Faq are not
filtered on presence dangerous symbol:
$Theme $SousTheme $Faq
------------------ ------------------ ------------------
insfaq.php3 insfaq.php3 saisiefaq.php3
inssoustheme.php3 inssoustheme.php3 voirfaq.php3
instheme.php3 saisiefaq.php3
saisiefaqtotale.php3 saisiefaqtotale.php3
saisiesoustheme.php3 voirfaq.php3
voirfaq.php3
=======================================================================================
More new versions does not contain these criticality
=======================================================================================
Bug found
=========
CENSORED ~ Search Vulnerabilities Team ~ http://svt.nukleon.us
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic