writersblock-sql.txt
Posted on 03 April 2008
[x] Vendor Information engine that keeps it spinning. A free, flexible, elegant Content Management System that helps you maintain any web site you want, at any size you want, with no hassle and no restrictions. http://www.desiquintans.com [x] Attack Information The variable "PostID" can be filled with malicious content to execute SQL code: ---- permalink.php, line 212: $getpost = @mysql_query("SELECT Title, Timestamp, Body, PostCat1, PostCat2, PostCat3, PostCat4, Author FROM ".POSTS_TBL." WHERE PostID='".$_GET['PostID']."' AND Draft=0"); ---- permalink.php, line 298: $prevlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID<".$_GET['PostID']." AND Draft=0 ORDER BY Timestamp DESC LIMIT 1"); ---- permalink.php, line 304: $nextlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID>".$_GET['PostID']." AND Draft=0 ORDER BY Timestamp ASC LIMIT 1"); ---- [x] Exploit The issue can be exploited through a web browser. [x] Patch Just add an intval(): ---- permalink.php, line 212: $getpost = @mysql_query("SELECT Title, Timestamp, Body, PostCat1, PostCat2, PostCat3, PostCat4, Author FROM ".POSTS_TBL." WHERE PostID='".intval($_GET['PostID'])."' AND Draft=0"); ---- permalink.php, line 298: $prevlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID<".intval($_GET['PostID'])." AND Draft=0 ORDER BY Timestamp DESC LIMIT 1"); ---- permalink.php, line 304: $nextlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID>".intval($_GET['PostID'])." AND Draft=0 ORDER BY Timestamp ASC LIMIT 1"); ---- [x] Credits The vulnerability has been discovered by katharsis - www.katharsis.x2.to
