Re: Pligg 9.9.0 editlink.php SQL Injection Vulnerability

[lists <lists () keamera org>]

While writing a little patch I found many other problems: variables are 
simply not checked or checked in the very wrong way


- This is the case of my previous mail, editlink.php:

if(isset($_GET['id'])){
        $theid = strip_tags($_GET['id']);
}
if(isset($_POST['id'])){
        $theid = strip_tags($_POST['id']);

}
[...]
$link = $db->get_row("SELECT link_id, link_author FROM " . table_links . 
" WHERE link_id=".$theid.";")
[...]
$linkres->id=$link_id = strip_tags($_POST['id']);
$linkres->read();              


libs/link.php:

function read($usecache = TRUE) {
 $id = $this->id;
 $link = $db->get_row("SELECT " . table_links . ".* FROM " . table_links 
. " WHERE link_id = $id");
}



- Another one, vote.php:

$link->id=$_POST['id'];
$link->read_basic();


link/link.php:

$id = $this->id;
$db->get_row("SELECT link_comments, link_author, link_status, 
link_randkey, link_category, link_date, link_votes, link_karma, 
link_published_date FROM " . table_links . " WHERE link_id = $id")


..and so on.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/