[41662] in bugtraq
Re: Re: Re: [KAPDA::#16] - SMF SQL Injection
daemon@ATHENA.MIT.EDU (grudge@securityfocus.com,simplemac)
Thu Dec 15 03:02:30 2005
Date: 13 Dec 2005 23:52:06 -0000
Message-ID: <20051213235206.29613.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: grudge@securityfocus.com, simplemachines@securityfocus.com,
org@securityfocus.com
To: bugtraq@securityfocus.com
Remember, SMF only shows database syntax errors to administrators anyway, so they would not even see the query string itself. All the average user trying this gets is "A database error has occured".
Either way securityfocus have kindly removed the advisory so we're happy.
[quote]
mphhh, correct...
the only problem I see is path disclosure, 'cause you can inject only a one char string:
http://[target]/smfrc1/index.php?action=mlist;sort=realName;start=\;desc
query becomes:
SELECT COUNT(ID_MEMBER) FROM smf_members WHERE LOWER(SUBSTRING(realName, 1, 1)) < '\' AND is_activated = 1
and at screen, you have:
Errore di sintassi nella query SQL vicino a ''\'
AND is_activated = 1' linea 3
File: [full_application_path]Memberlist.php
Line: 162
but I think you cannot inject commands...
[/quote]