MkPortal - Multiple SQL Injection Vulnerabilities

2007.07.20
Credit: normal user
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-3814
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

We tried very hard to find wslabis mkportal SQL Injection but after ten minutes of "research" we decided that it is hopeless to find exactly the same bug and therefore we release a compilation of mkportal sql injections for the interested reader. Some of them are junk because you need a moderator acc but the rest is exploitable by a normal user. Some of the bugs can lead to user defined file deletions and command-exec bugs. Sorry wslabi but 500$ for a bug in this script is just a bad joke... File: /modules/urlobox/index.php 1 . function delete_urlo() $id = $mkportals->input['idurlo']; $DB->query("DELETE FROM mkp_urlobox WHERE id = $id"); File: /modules/reviews/index.php 1. function update_file() $iden= $mkportals->input['iden']; $query = $DB->query("SELECT idauth FROM mkp_reviews WHERE id = $iden"); 2. function del_file() $iden= $mkportals->input['iden']; $query = $DB->query( "SELECT image, author, idauth FROM mkp_reviews WHERE id = $iden"); File: /modules/news/index.php 1. function delete_news() $idnews = $mkportals->input['idnews']; $DB->query("DELETE FROM mkp_news WHERE id = $idnews"); 2. function del_comment() $idcomm= $mkportals->input['idcomm']; $DB->query("DELETE FROM mkp_news_comments WHERE id = $idcomm"); File: /modules/gallery/index.php 1. function delete_comments() $idcomm= $mkportals->input['idcomm']; $DB->query("DELETE FROM mkp_gallery_comments WHERE id = $idcomm"); 2. function edit_file() $iden = $mkportals->input['iden']; $query = $DB->query( "SELECT evento, titolo, descrizione, autore, idauth FROM mkp_gallery WHERE id = $iden"); 3. function update_file() $iden= $mkportals->input['iden']; $query = $DB->query("SELECT idauth FROM mkp_gallery WHERE id = $iden"); 4. function del_file() $iden= $mkportals->input['iden']; $query = $DB->query( "SELECT file, autore, idauth FROM mkp_gallery WHERE id = $iden"); 5. function slide_update() { $ide= $mkportals->input['ide']; $cat = $mkportals->input['cat']; $query = $DB->query( "SELECT id, titolo, file FROM mkp_gallery WHERE id > $ide AND evento = $cat AND validate = '1' ORDER BY 'id' LIMIT 1"); File: /modules/downloads/index.php 1. function update_file() $iden= $mkportals->input['iden']; $query = $DB->query( "SELECT file, data, idauth, peso FROM mkp_download WHERE id = $iden"); 2. function del_file() $iden= $mkportals->input['iden']; $query = $DB->query( "SELECT file, autore, idauth FROM mkp_download WHERE id = $iden"); ....... Just look for del_, edit_ or update functions and you will find more. greetings to jmp-esp jmp-esp.kicks-ass.net IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl) #main


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top