Re: Re: Re: [KAPDA::#16] - SMF SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: Re: [KAPDA::#16] - SMF SQL Injection
From: grudge@xxxxxxxxxxxxxxxxx, simplemachines@xxxxxxxxxxxxxxxxx, org@xxxxxxxxxxxxxxxxx
Date: 13 Dec 2005 23:52:06 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Remember, SMF only shows database syntax errors to administrators anyway, so 
they would not even see the query string itself. All the average user trying 
this gets is "A database error has occured".

Either way securityfocus have kindly removed the advisory so we're happy.

[quote]
mphhh, correct...
the only problem I see is path disclosure, 'cause you can inject only a one 
char string:

http://[target]/smfrc1/index.php?action=mlist;sort=realName;start=\;desc

query becomes:

SELECT COUNT(ID_MEMBER) FROM smf_members WHERE LOWER(SUBSTRING(realName, 1, 1)) 
< '\' AND is_activated = 1

and at screen, you have:

Errore di sintassi nella query SQL vicino a ''\'
AND is_activated = 1' linea 3
File: [full_application_path]Memberlist.php
Line: 162

but I think you cannot inject commands...
[/quote]

Prev by Date: Secunia Research: Microsoft Internet Explorer Keyboard Shortcut Processing Vulnerability
Next by Date: Re: [ GLSA 200512-04 ] Openswan, IPsec-Tools: Vulnerabilities in ISAKMP Protocol implementation
Previous by thread: Re: Re: [KAPDA::#16] - SMF SQL Injection
Next by thread: Milliscript 1.4 Multiple Vulnerabilities
Index(es):
- Date
- Thread