[41603] in bugtraq
Re: Re: [KAPDA::#16] - SMF SQL Injection
daemon@ATHENA.MIT.EDU (polnby@yahoo.com)
Mon Dec 12 17:08:27 2005
Date: 11 Dec 2005 12:29:17 -0000
Message-ID: <20051211122917.8202.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: polnby@yahoo.com
To: bugtraq@securityfocus.com
Take a better look at your \'Memberlist.php\' source code.
// Select the members from the database.
$request = db_query(\"
SELECT mem.ID_MEMBER
FROM {$db_prefix}members AS mem
LEFT JOIN {$db_prefix}log_online AS lo ON (lo.ID_MEMBER = mem.ID_MEMBER)
LEFT JOIN {$db_prefix}membergroups AS mg ON (mg.ID_GROUP = IF(mem.ID_GROUP = 0, mem.ID_POST_GROUP, mem.ID_GROUP))
WHERE mem.is_activated = 1
ORDER BY \" . $sort_methods[$_REQUEST[\'sort\']][$context[\'sort_direction\']] . \"
LIMIT $_REQUEST[start], $modSettings[defaultMaxMembers]\", __FILE__, __LINE__);
printMemberListRows($request);
mysql_free_result($request);
----------------------
// Find the members from the database.
// !!!SLOW This query is slow.
$request = db_query(\"
SELECT mem.ID_MEMBER
FROM {$db_prefix}members AS mem
LEFT JOIN {$db_prefix}log_online AS lo ON (lo.ID_MEMBER = mem.ID_MEMBER)
LEFT JOIN {$db_prefix}membergroups AS mg ON (mg.ID_GROUP = IF(mem.ID_GROUP = 0, mem.ID_POST_GROUP, mem.ID_GROUP))
WHERE \" . implode(\" $query OR \", $fields) . \" $query$condition
AND is_activated = 1
LIMIT $_REQUEST[start], $modSettings[defaultMaxMembers]\", __FILE__, __LINE__);
printMemberListRows($request);
mysql_free_result($request);
----------------------
Isn`t posible for an attacker to modify the query logic?