Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Apr 2012 13:46:35 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-request: Wikidforum 2.10 multiple XSS and
 SQL-injection vulnerabilities SSCHADV2012-005

On Thu, Apr 12, 2012 at 12:55:01PM -0600, Kurt Seifried wrote:
> > http://osvdb.org/show/osvdb/80840 Wikidforum Advanced Search
> > Multiple Field SQL Injection
> Also I couldn't really confirm the SQL injections so not assigning a
> CVE, if you can find confirmation I'll assign a CVE.

With "'" as input to select_sort:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\' asc' at line 1select * from posts where parent_post_id IS NULL AND status=1 AND user_id=0 AND (post LIKE '%foo%' OR title LIKE '%foo%') and status IN (1) order by \\\' asc

My friend told me that this can escalate in case of bad permissions or bad MySQL setup, but I do not have better PoC for this list. At least one can't chain for example SELECT foo FROM bar;DROP TABLE users;--

http://dev.mysql.com/doc/refman/5.5/en/select.html

- Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.