[24021] in bugtraq
Xoops SQL fragment disclosure and SQL injection vulnerability
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Cabezon_Aur=E9lien?)
Tue Jan 29 12:54:23 2002
Message-ID: <012d01c1a8de$a1adc2d0$0301a8c0@London>
From: =?iso-8859-1?Q?Cabezon_Aur=E9lien?= <aurelien.cabezon@isecurelabs.com>
To: <bugtraq@securityfocus.com>
Cc: <staff@securiteam.com>
Date: Tue, 29 Jan 2002 17:03:32 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
-- [ Xoops SQL fragment disclose and SQL injection vulnerability ] --
Discovered on 27/01/2002
Vendor: http://xoops.sourceforge.net
-- [ Overview ] --
XOOPS is an open source portal script written extensively in object-oriented
PHP. Backed with MySQL Database.
There is 2 security issues :
- Xoops disclose SQL query.
- Xoops allow remote user to SQL query injection.
-- [ Description ] --
The userinfo.php script does not check for special meta-characters in user's
inputs
It is possible to make it crash using this kind of query :
http://xoops-site/userinfo.php?uid=1;
then it gives you this error report :
-snip-
MySQL Query Error: SELECT u.*, s.* FROM x_users u, x_users_status s WHERE
u.uid=1; AND u.uid=s.uid
Error number:1064
Error message: You have an error in your SQL syntax near '; AND u.uid=s.uid'
at line 1
ERROR
-snip-
It dicloses many informations that help to SQL injection attack...
Such as http://xoops-site/userinfo.php?uid=1[SQL Query]
More about SQL injection
http://www.owasp.org/projects/asac/iv-sqlinjection.shtml
No exploit is given, but it was successfully tested.
Xoops team has been alerted.
-- [ Tested Version ] --
Xoops RC1
-- [ Discovered by ] --
Cabezon Aurelien | aurelien.cabezon@iSecureLabs.com
http://www.iSecureLabs.com | French Security portal
