<<< Date Index >>>     <<< Thread Index >>>

[SVadvisory#13] - SQL injection in MYFAQ 1.0



SVadvisory#13
*******************************
  title: SQL injection             
product: MYFAQ            
version: V1.0                  
   site: http://vpontier.free.fr/
*******************************
=====================================================================================
Vulnerability
==============

1) affichagefaq.php3 Code:
--------------------------
   <?php 
     ....
    
        $Requete = "SELECT LIBELLE FROM THEMES WHERE ID_THEME = $Theme";
        $Liste = mysql_db_query($Base,$Requete);
        $Ret = mysql_fetch_array($Liste);
     
     ....
    
        $Requete = "SELECT LIBELLE FROM SOUSTHEMES WHERE ID_SOUSTHEME = 
$SousTheme";
        $Liste = mysql_db_query($Base,$Requete);
        $Ret = mysql_fetch_array($Liste);

     ....

        $Requete="SELECT * FROM SOLUTIONS WHERE ID_FAQ = $Question";
        $Liste = mysql_db_query($Base,$Requete);

   ?>

Variable $Theme, $SousTheme, $Question is not filtered on presence dangerous 
symbol that can bring about SQL injection.
=======================================================================================
2) choixsoustheme.php3 code:
----------------------------
   <?php
     ....
     
        $Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme";
        $TitreTh = mysql_query($Requete,$Connect_MySql);
 
     ....
   ?>

In the same way in file choixsoustheme.php3, variable $Theme is not filtered 
on presence dangerous symbol that can bring about SQL injection
=======================================================================================
3) consultation.php3 code:
--------------------------
   <?php 
     ....

        $Requete = "SELECT * FROM FAQ WHERE ID_THEME = $Theme AND ID_SOUSTHEME 
= $SousTheme ORDER BY DATECRE;";
        $ListeFaq = mysql_db_query($Base,$Requete);

     ....

        $Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme;";
        $TitreTh = mysql_query($Requete,$Connect_MySql);

     ....

        $Requete = "SELECT * FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme";
        $TitreSTh = mysql_db_query($Base,$Requete);

     ....
    ?>

Variable $Theme, $SousTheme are not filtered on presence dangerous symbol, 
>From - for this appears criticality SQL injection
=======================================================================================
4) inssolution.php3 code:
-------------------------
     <?php 
       ....
       
           $Requete = "SELECT * FROM FAQ WHERE ID_FAQ = $Faq";
           $ResIns = mysql_db_query($Base,$Requete); 
       
       ....
     ?>

Variable $Faq is not filtered on presence dangerous symbol that brings 
about criticality SQL injection 

=======================================================================================
In the same way in following file variable $Theme, $SousTheme and $Faq are not 
filtered on presence dangerous symbol:

  $Theme                   $SousTheme             $Faq
  ------------------      ------------------      ------------------
  insfaq.php3             insfaq.php3             saisiefaq.php3
  inssoustheme.php3       inssoustheme.php3       voirfaq.php3
  instheme.php3           saisiefaq.php3
  saisiefaqtotale.php3    saisiefaqtotale.php3
  saisiesoustheme.php3    voirfaq.php3
  voirfaq.php3
=======================================================================================
More new versions does not contain these criticality
=======================================================================================
Bug found
=========

CENSORED ~ Search Vulnerabilities Team ~ http://svt.nukleon.us