Bugtraq mailing list archives
Xoops SQL fragment disclosure and SQL injection vulnerability
From: Cabezon Aurélien <aurelien.cabezon () isecurelabs com>
Date: Tue, 29 Jan 2002 17:03:32 +0100
-- [ Xoops SQL fragment disclose and SQL injection vulnerability ] -- Discovered on 27/01/2002 Vendor: http://xoops.sourceforge.net -- [ Overview ] -- XOOPS is an open source portal script written extensively in object-oriented PHP. Backed with MySQL Database. There is 2 security issues : - Xoops disclose SQL query. - Xoops allow remote user to SQL query injection. -- [ Description ] -- The userinfo.php script does not check for special meta-characters in user's inputs It is possible to make it crash using this kind of query : http://xoops-site/userinfo.php?uid=1; then it gives you this error report : -snip- MySQL Query Error: SELECT u.*, s.* FROM x_users u, x_users_status s WHERE u.uid=1; AND u.uid=s.uid Error number:1064 Error message: You have an error in your SQL syntax near '; AND u.uid=s.uid' at line 1 ERROR -snip- It dicloses many informations that help to SQL injection attack... Such as http://xoops-site/userinfo.php?uid=1[SQL Query] More about SQL injection http://www.owasp.org/projects/asac/iv-sqlinjection.shtml No exploit is given, but it was successfully tested. Xoops team has been alerted. -- [ Tested Version ] -- Xoops RC1 -- [ Discovered by ] -- Cabezon Aurelien | aurelien.cabezon () iSecureLabs com http://www.iSecureLabs.com | French Security portal
Current thread:
- Xoops SQL fragment disclosure and SQL injection vulnerability Cabezon Aurélien (Jan 29)