[pLog-svn] Fwd: LifeType <= 1.0.4 'articleId' SQL injection
Jon Daley
plogworld at jon.limedaley.com
Sat Jun 3 22:39:08 GMT 2006
It doesn't work on my 1.0.4 install either, only partially. It
does get the (presumably, I didn't check) admin password (hashed) into the
sql_error.log, which isn't a security risk in itself, but obviously, being
able to change the SQL queries is bad. I don't see what the /**/ stuff is
doing. Surely the articleId is validated to be an integer, so where is
all that sql getting assigned to?
On Sun, 4 Jun 2006, Oscar Renalias wrote:
> I couldn't get the linked script to work, but this is the interesting part of
> it:
>
> http://www.yourhost.com/lifetype-1.0.4/index.php?op=ViewArticle&blogId=1&articleId=9999/**/UNION/**/SELECT/**/password,1,1,1,1,1,1,1/**/FROM/**/lt_users/**/WHERE/**/id=1/*
>
> Clever.
>
> On 4 Jun 2006, at 00:43, Oscar Renalias wrote:
>
>> Whoops. Our first serious SQL injection issue!
>>
>> Begin forwarded message:
>>
>>> From: "rgod" <zerokool_556 at hotmail.com>
>>> Date: 4 June 2006 00:30:31 GMT+03:00
>>> To: <contact at lifetype.net>
>>> Subject: LifeType <= 1.0.4 'articleId' SQL injection
>>>
>>> http://retrogod.altervista.org/lifetype_104_sql.html
>>>
>>> rgod
>>>
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
**************************************
Jon Daley
http://jon.limedaley.com/
With memory prices this low, who needs to deallocate memory?
More information about the pLog-svn
mailing list