Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4F884F63.20102@redhat.com>
Date: Fri, 13 Apr 2012 10:08:03 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>
Subject: Re: CVE-request: Wikidforum 2.10 multiple XSS and
 SQL-injection vulnerabilities SSCHADV2012-005

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/13/2012 04:46 AM, Henri Salo wrote:
> On Thu, Apr 12, 2012 at 12:55:01PM -0600, Kurt Seifried wrote:
>>> http://osvdb.org/show/osvdb/80840 Wikidforum Advanced Search 
>>> Multiple Field SQL Injection
>> Also I couldn't really confirm the SQL injections so not
>> assigning a CVE, if you can find confirmation I'll assign a CVE.
> 
> With "'" as input to select_sort:
> 
> You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to
> use near '\\\' asc' at line 1select * from posts where
> parent_post_id IS NULL AND status=1 AND user_id=0 AND (post LIKE
> '%foo%' OR title LIKE '%foo%') and status IN (1) order by \\\' asc
> 
> My friend told me that this can escalate in case of bad permissions
> or bad MySQL setup, but I do not have better PoC for this list. At
> least one can't chain for example SELECT foo FROM bar;DROP TABLE
> users;--
> 
> http://dev.mysql.com/doc/refman/5.5/en/select.html
> 
> - Henri Salo

Have you actually verified this first hand (e.g. done a successful SQL
injection attack) against an installation of Wikidforum?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPiE9fAAoJEBYNRVNeJnmTTBUP/RAFfubG9vd+NjbTPbiXv39H
6yZC19+k77jk7CTUklfOlud6UNcnLdtoOyBgKD6bLud81dJGUJ66b5lNM21yVSbU
ToIIuXNhXGdQ07LtkCbq4AS3jkHDBl9SH6jUnS0GSS4nr/J8KxzBCUrh+fAi1HWK
dGfj3TkBkUf2gWIb9dj62tzx21MAKfcA7SuNmc3tLoBKPIV6ZmsoKM5hEetP2snM
XWx25D1QjyPHjNfDaqFqz/3GWnMUs5FRgD+N1WvTU6UJi/EONmhu074lWFaFKIJU
tTEuTcuSKal9zQBC9//JRLfkHv+kI3DHezAsoFfsk1MUFD8A9dzGVbSp4CQmuVQs
5ZuXRI1PxeMh8ZVHM1Deo7Bfn+jJZAqtlPwOPHzeXpxF+A+JAZA5mnYY0PVbRUTm
FU5hj6MhVmfGVus6kKaKw3nuOdNAPmNfYRP+DOLKG7tTBcnQwMLAtr0TTfK1HJFG
j1BQGZ3raJhcvT7Q9/IOw/2xZOWEfl1RKUv+WrheqM4taxs4GCb7G38xENrhWmN/
MInu9n10oGcDqeSx7oYeRkrSt9vX0U6wSsXPpYPQT2eK+B7DmLQeNyu4uzpqQHvU
Iljr7PkpQARbdeqbACrrraVEcvSZheNbmlF2iymDgh93O27wxHbJe7gTPowAfHWe
Y5Ar7EwOUTJLkddvTY7G
=G5vD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.