oss-sec mailing list archives
Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 13 Apr 2012 10:08:03 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/13/2012 04:46 AM, Henri Salo wrote:
On Thu, Apr 12, 2012 at 12:55:01PM -0600, Kurt Seifried wrote:http://osvdb.org/show/osvdb/80840 Wikidforum Advanced Search Multiple Field SQL InjectionAlso I couldn't really confirm the SQL injections so not assigning a CVE, if you can find confirmation I'll assign a CVE.With "'" as input to select_sort: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\' asc' at line 1select * from posts where parent_post_id IS NULL AND status=1 AND user_id=0 AND (post LIKE '%foo%' OR title LIKE '%foo%') and status IN (1) order by \\\' asc My friend told me that this can escalate in case of bad permissions or bad MySQL setup, but I do not have better PoC for this list. At least one can't chain for example SELECT foo FROM bar;DROP TABLE users;-- http://dev.mysql.com/doc/refman/5.5/en/select.html - Henri Salo
Have you actually verified this first hand (e.g. done a successful SQL injection attack) against an installation of Wikidforum? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPiE9fAAoJEBYNRVNeJnmTTBUP/RAFfubG9vd+NjbTPbiXv39H 6yZC19+k77jk7CTUklfOlud6UNcnLdtoOyBgKD6bLud81dJGUJ66b5lNM21yVSbU ToIIuXNhXGdQ07LtkCbq4AS3jkHDBl9SH6jUnS0GSS4nr/J8KxzBCUrh+fAi1HWK dGfj3TkBkUf2gWIb9dj62tzx21MAKfcA7SuNmc3tLoBKPIV6ZmsoKM5hEetP2snM XWx25D1QjyPHjNfDaqFqz/3GWnMUs5FRgD+N1WvTU6UJi/EONmhu074lWFaFKIJU tTEuTcuSKal9zQBC9//JRLfkHv+kI3DHezAsoFfsk1MUFD8A9dzGVbSp4CQmuVQs 5ZuXRI1PxeMh8ZVHM1Deo7Bfn+jJZAqtlPwOPHzeXpxF+A+JAZA5mnYY0PVbRUTm FU5hj6MhVmfGVus6kKaKw3nuOdNAPmNfYRP+DOLKG7tTBcnQwMLAtr0TTfK1HJFG j1BQGZ3raJhcvT7Q9/IOw/2xZOWEfl1RKUv+WrheqM4taxs4GCb7G38xENrhWmN/ MInu9n10oGcDqeSx7oYeRkrSt9vX0U6wSsXPpYPQT2eK+B7DmLQeNyu4uzpqQHvU Iljr7PkpQARbdeqbACrrraVEcvSZheNbmlF2iymDgh93O27wxHbJe7gTPowAfHWe Y5Ar7EwOUTJLkddvTY7G =G5vD -----END PGP SIGNATURE-----
Current thread:
- CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 Henri Salo (Apr 12)
- Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 Kurt Seifried (Apr 12)
- Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 Henri Salo (Apr 13)
- Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 Kurt Seifried (Apr 13)
- Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 Henri Salo (Apr 15)
- Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 Henri Salo (Apr 13)
- Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 Kurt Seifried (Apr 12)