SVadvisory#13 ******************************* title: SQL injection product: MYFAQ version: V1.0 site: http://vpontier.free.fr/ ******************************* ===================================================================================== Vulnerability ============== 1) affichagefaq.php3 Code: -------------------------- <?php .... $Requete = "SELECT LIBELLE FROM THEMES WHERE ID_THEME = $Theme"; $Liste = mysql_db_query($Base,$Requete); $Ret = mysql_fetch_array($Liste); .... $Requete = "SELECT LIBELLE FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme"; $Liste = mysql_db_query($Base,$Requete); $Ret = mysql_fetch_array($Liste); .... $Requete="SELECT * FROM SOLUTIONS WHERE ID_FAQ = $Question"; $Liste = mysql_db_query($Base,$Requete); ?> Variable $Theme, $SousTheme, $Question is not filtered on presence dangerous symbol that can bring about SQL injection. ======================================================================================= 2) choixsoustheme.php3 code: ---------------------------- <?php .... $Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme"; $TitreTh = mysql_query($Requete,$Connect_MySql); .... ?> In the same way in file choixsoustheme.php3, variable $Theme is not filtered on presence dangerous symbol that can bring about SQL injection ======================================================================================= 3) consultation.php3 code: -------------------------- <?php .... $Requete = "SELECT * FROM FAQ WHERE ID_THEME = $Theme AND ID_SOUSTHEME = $SousTheme ORDER BY DATECRE;"; $ListeFaq = mysql_db_query($Base,$Requete); .... $Requete = "SELECT * FROM THEMES WHERE ID_THEME = $Theme;"; $TitreTh = mysql_query($Requete,$Connect_MySql); .... $Requete = "SELECT * FROM SOUSTHEMES WHERE ID_SOUSTHEME = $SousTheme"; $TitreSTh = mysql_db_query($Base,$Requete); .... ?> Variable $Theme, $SousTheme are not filtered on presence dangerous symbol, >From - for this appears criticality SQL injection ======================================================================================= 4) inssolution.php3 code: ------------------------- <?php .... $Requete = "SELECT * FROM FAQ WHERE ID_FAQ = $Faq"; $ResIns = mysql_db_query($Base,$Requete); .... ?> Variable $Faq is not filtered on presence dangerous symbol that brings about criticality SQL injection ======================================================================================= In the same way in following file variable $Theme, $SousTheme and $Faq are not filtered on presence dangerous symbol: $Theme $SousTheme $Faq ------------------ ------------------ ------------------ insfaq.php3 insfaq.php3 saisiefaq.php3 inssoustheme.php3 inssoustheme.php3 voirfaq.php3 instheme.php3 saisiefaq.php3 saisiefaqtotale.php3 saisiefaqtotale.php3 saisiesoustheme.php3 voirfaq.php3 voirfaq.php3 ======================================================================================= More new versions does not contain these criticality ======================================================================================= Bug found ========= CENSORED ~ Search Vulnerabilities Team ~ http://svt.nukleon.us
