<<< Date Index >>>     <<< Thread Index >>>

Sql injection in PostNuke [Admin section]



Hi,
There is a sql injection bug in PostNuke 0.762 admin section (and maybe
before versions) .
The "hits" parameter is not checked properly before be used in sql query :

File /modules/Downloads/admin.php, Line 1586 :
::     $dbconn->Execute("INSERT INTO $downtable
::                         ($column[lid],
::                          $column[cid],
::                          $column[sid],
::                          $column[title],
::                          $column[url],
::                          $column[description],
::                          $column[date],
::                          $column[name],
::                          $column[email],
::                          $column[hits],
::                          $column[submitter],
::                          $column[downloadratingsummary],
::                          $column[totalvotes],
::                          $column[totalcomments],
::                          $column[filesize],
::                          $column[version],
::                          $column[homepage])
::                       VALUES
::                         (" . (int)pnVarPrepForStore($newid) . ",
::                          " . (int)pnVarPrepForStore($cat[0]) .",
::                          " . (int)pnVarPrepForStore($cat[1]) .",
::                          '" . pnVarPrepForStore($title) . "',
::                          '" . pnVarPrepForStore($url) . "',
::                          '" . pnVarPrepForStore($description) . "',
::                           " . $dbconn->DBTimestamp(time()) . ",
::                          '" . pnVarPrepForStore($name) . "',
::                          '" . pnVarPrepForStore($email) . "',
**                           " . pnVarPrepForStore($hits) . ",
::                          '" . pnVarPrepForStore($submitter) . "',
::                          0,
::                          0,
::                          0,
::                          '" . pnVarPrepForStore($filesize) . "',
::                          '" . pnVarPrepForStore($version) . "',
::                          '" . pnVarPrepForStore($homepage) . "')");

The bug is in admin section, so it doesnt seem to be critical .
Also, "PostNuke 0.800 Milestone 2" has been released .


- Omid