Open
Description
There is an sql injection in tag adding function, its location is in /dapur/apps/app_article/sys_article.php
No filter has been used in the $_POST['name'];
if(isset($_POST['add_tag']) or isset($_POST['save_tag'])){
$t = striptags($_POST['name']);
if(!empty($t)) {
$qr=$db->insert(FDBPrefix.'article_tags',array("",striptags($_POST['name']),striptags($_POST['desc']),""));
if($qr AND isset($_POST['save_tag'])){
notice('success',Tag_Added);
redirect('?app=article&view=tag');
}
else if($qr){
$sql2 = $db->select(FDBPrefix.'article_tags','*','','id DESC');
$qrs = $sql2[0];
notice('success',Tag_Added);
redirect("?app=article&view=tag&act=edit&id=$qrs[id]");
}
else {
notice('error',Tag_Exists,2);
}
}
else {
notice('error',Status_Invalid,2);
}
}
In the database insert function, there is no filter function either, just add a couple of " beside the tag name. So when we update the tag name or add a tag name there is always the problem of sql injection.
URL: /fiyo/dapur/index.php?app=article&view=tag&act=edit&id=79
DATA: apply_tag=Simpan&id=79&name=1%22or%221&desc=1
We need a account to do this thing.
Discover: Chaitin Technology
Metadata
Metadata
Assignees
Labels
No labels
