Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Apr 2012 10:08:03 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>
Subject: Re: CVE-request: Wikidforum 2.10 multiple XSS and
 SQL-injection vulnerabilities SSCHADV2012-005

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/13/2012 04:46 AM, Henri Salo wrote:
> On Thu, Apr 12, 2012 at 12:55:01PM -0600, Kurt Seifried wrote:
>>> http://osvdb.org/show/osvdb/80840 Wikidforum Advanced Search 
>>> Multiple Field SQL Injection
>> Also I couldn't really confirm the SQL injections so not
>> assigning a CVE, if you can find confirmation I'll assign a CVE.
> 
> With "'" as input to select_sort:
> 
> You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to
> use near '\\\' asc' at line 1select * from posts where
> parent_post_id IS NULL AND status=1 AND user_id=0 AND (post LIKE
> '%foo%' OR title LIKE '%foo%') and status IN (1) order by \\\' asc
> 
> My friend told me that this can escalate in case of bad permissions
> or bad MySQL setup, but I do not have better PoC for this list. At
> least one can't chain for example SELECT foo FROM bar;DROP TABLE
> users;--
> 
> http://dev.mysql.com/doc/refman/5.5/en/select.html
> 
> - Henri Salo

Have you actually verified this first hand (e.g. done a successful SQL
injection attack) against an installation of Wikidforum?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPiE9fAAoJEBYNRVNeJnmTTBUP/RAFfubG9vd+NjbTPbiXv39H
6yZC19+k77jk7CTUklfOlud6UNcnLdtoOyBgKD6bLud81dJGUJ66b5lNM21yVSbU
ToIIuXNhXGdQ07LtkCbq4AS3jkHDBl9SH6jUnS0GSS4nr/J8KxzBCUrh+fAi1HWK
dGfj3TkBkUf2gWIb9dj62tzx21MAKfcA7SuNmc3tLoBKPIV6ZmsoKM5hEetP2snM
XWx25D1QjyPHjNfDaqFqz/3GWnMUs5FRgD+N1WvTU6UJi/EONmhu074lWFaFKIJU
tTEuTcuSKal9zQBC9//JRLfkHv+kI3DHezAsoFfsk1MUFD8A9dzGVbSp4CQmuVQs
5ZuXRI1PxeMh8ZVHM1Deo7Bfn+jJZAqtlPwOPHzeXpxF+A+JAZA5mnYY0PVbRUTm
FU5hj6MhVmfGVus6kKaKw3nuOdNAPmNfYRP+DOLKG7tTBcnQwMLAtr0TTfK1HJFG
j1BQGZ3raJhcvT7Q9/IOw/2xZOWEfl1RKUv+WrheqM4taxs4GCb7G38xENrhWmN/
MInu9n10oGcDqeSx7oYeRkrSt9vX0U6wSsXPpYPQT2eK+B7DmLQeNyu4uzpqQHvU
Iljr7PkpQARbdeqbACrrraVEcvSZheNbmlF2iymDgh93O27wxHbJe7gTPowAfHWe
Y5Ar7EwOUTJLkddvTY7G
=G5vD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ