Re: Re: [KAPDA::#16] - SMF SQL Injection

[polnby@xxxxxxxxx]

Take a better look at your \'Memberlist.php\' source code.

// Select the members from the database.
        $request = db_query(\"
                SELECT mem.ID_MEMBER
                FROM {$db_prefix}members AS mem
                        LEFT JOIN {$db_prefix}log_online AS lo ON (lo.ID_MEMBER 
= mem.ID_MEMBER)
                        LEFT JOIN {$db_prefix}membergroups AS mg ON 
(mg.ID_GROUP = IF(mem.ID_GROUP = 0, mem.ID_POST_GROUP, mem.ID_GROUP))
                WHERE mem.is_activated = 1
                ORDER BY \" . 
$sort_methods[$_REQUEST[\'sort\']][$context[\'sort_direction\']] . \"
                LIMIT $_REQUEST[start], $modSettings[defaultMaxMembers]\", 
__FILE__, __LINE__);
        printMemberListRows($request);
        mysql_free_result($request);
----------------------

// Find the members from the database.
                // !!!SLOW This query is slow.
                $request = db_query(\"
                        SELECT mem.ID_MEMBER
                        FROM {$db_prefix}members AS mem
                                LEFT JOIN {$db_prefix}log_online AS lo ON 
(lo.ID_MEMBER = mem.ID_MEMBER)
                                LEFT JOIN {$db_prefix}membergroups AS mg ON 
(mg.ID_GROUP = IF(mem.ID_GROUP = 0, mem.ID_POST_GROUP, mem.ID_GROUP))
                        WHERE \" . implode(\" $query OR \", $fields) . \" 
$query$condition
                                AND is_activated = 1
                        LIMIT $_REQUEST[start], 
$modSettings[defaultMaxMembers]\", __FILE__, __LINE__);
                printMemberListRows($request);
                mysql_free_result($request);
----------------------

Isn`t posible for an attacker to modify the query logic?