[26666] in bugtraq
L-Forum Vulnerability - SQL Injection
daemon@ATHENA.MIT.EDU (Matthew Murphy)
Wed Aug 14 17:09:14 2002
Message-ID: <004d01c2433d$b605e1a0$e62d1c41@kc.rr.com>
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
To: "BugTraq" <bugtraq@securityfocus.com>,
"Full Disclosure" <full-disclosure@lists.netsys.com>,
"SecurITeam News" <news@securiteam.com>,
"Vuln-Dev" <vuln-dev@securityfocus.com>,
"VulnWatch" <vulnwatch@vulnwatch.org>
Date: Tue, 13 Aug 2002 21:53:04 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
I have discovered an SQL injection flaw in L-Forum which has
a recent record (upload spoofing/XSS by Ulf) of security bugs.
The problem this time is search.php. It doesn't properly escape
the SQL data passed in by the user in the search member. I
have provided a SourceForge patch for this vulnerability. I
have shown URLs that exploit this:
Postgres:
http://localhost/search.php?search=a%27%20order%20by%20time%20desc%3b%20[que
ry]
MySQL:
http://localhost/search.php?search=a%25%27%20order%20by%20time%20desc%3b%20[
query]
I've patched this on SourceForge:
http://sourceforge.net/tracker/download.php?group_id=53716&atid=471341&file_
id=29026&aid=594867
"The reason the mainstream is thought
of as a stream is because it is
so shallow."
- Author Unknown
