Re: ATutor 1.5.3 Cross Site Scripting

To: info@xxxxxxxxx
Subject: Re: ATutor 1.5.3 Cross Site Scripting
From: "Steven M. Christey" <coley@xxxxxxxxx>
Date: Fri, 21 Jul 2006 18:00:01 -0400 (EDT)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

>The mentioned SQL injection vulnerability is not possible. Please
>remove it.

Could you explain this further?

In 1.5.3, edit_forum() in forums.inc.php has the following:

        $sql    = "UPDATE ".TABLE_PREFIX."forums SET title='$_POST[title]', 
description='$_POST[body]' WHERE forum_id=$_POST[fid]";
        $result = mysql_query($sql,$db);

where is appears that $_POST[fid] is directly inserted into the SQL
query.

In 1.5.3.1, a new statement has been added to the same function, just
before the two statements above:

        $_POST['fid']    = intval($_POST['fid']);

This looks like cleansing that would be relevant for SQL injection.


For those who were wondering, both $_POST['title'] and $_POST['body']
are re-set using addslashes:

  $_POST['title']  = $addslashes($_POST['title']);
  $_POST['body']   = $addslashes($_POST['body']);


- Steve

Prev by Date: Re: [EEYEB-20060227] D-Link Router UPNP Stack Overflow
Next by Date: Re: LAMP vs Microsoft
Previous by thread: Re: ATutor 1.5.3 Cross Site Scripting
Next by thread: RW::Download stats.php Remote File Inc.
Index(es):
- Date
- Thread