|
|
| Details : SecurityAlert |
|
|
Topic : | Sql injections in e107 [Admin section]
|
SecurityAlert : 1569
CVE : CVE-2006-4757
SecurityRisk : Low (About)
Remote Exploit : Yes
Local Exploit : No
Exploit Given : Yes
Credit : Omid
Published : 18.09.2006
Affected Software : | e107 0.7.5 admin section |
 Advisory Text : Hi,
There are several sql injections in e107 0.7.5 admin section :
I) The "linkopentype", "linkrender" and "link_class" parameters are passed
to "db_Insert()" function without checking :
File /e107_admin/links.php, Line 496 :
>> $sql->db_Insert("links", "0, '$link_name', '$link_url',
'$link_description', '$link_button', ".$_POST['linkrender'].",
".($link_t+1).", ".$parent_id.", ".$_POST['linkopentype'].",
".$_POST['link_class']);
II) The "linkopentype", "linkrender", "link_class" and "link_id"
parameters
are passed to "db_Update()" and "db_Select()" functions without checking :
File /e107_admin/links.php, Line 480 :
>> $sql->db_Update("links", "link_parent='$parent_id',
link_name='$link_name', link_url='$link_url',
link_description='$link_description', link_button= '$link_button',
link_category='".$_POST['linkrender']."',
link_open='".$_POST['linkopentype']."',
link_class='".$_POST['link_class']."' WHERE link_id='$id'");
File /e107_admin/links.php, Line 482 :
>> if($sql->db_Select("links", "*", "link_parent='{$id}'"))
POC :
-----
Go to "Admin" -> "Site Links" -> "Edit" section
(/e107_admin/links.php?create.edit.1), and change the values of
"linkopentype", "linkrender", "link_class" and "link_id" inputs.
III) The "searchquery" parameter in file /e107_admin/users.php, line 448
is not checked against sql injection :
>> $_POST['searchquery'] = trim($_POST['searchquery']);
Which make the next query vulnerable .
POC :
-----
Go to users admin section (/e107_admin/users.php), and search for "1' SQL"
.
IV) The "download_category_class" parameter is not checked properly before
using in the insert query :
File /e107_admin/download.php, Line 1320 :
>> admin_update($sql->db_Insert("download_category", "0,
'$download_category_name', '$download_category_description',
'$download_category_icon',
'".intval($_POST['download_category_parent'])."',
'".$_POST['download_category_class']."', 0 "), 'insert', DOWLAN_47);
These are in administration section, so they dont seem to be critical.
- Omid
Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
|
|
|
|