New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS v1.0.2(latest) discovered by "ADLab of Venustech" #71
Comments
thank you, but this had been fixed at the latest release already. see this https://github.com/semplon/GeniXCMS/blob/master/inc/lib/Db.class.php#L322 i don't know if the fix is solve the problem, but at least please try the latest release which is 1.0.2 already. |
mysql_escape_string filltered single quote, but attacker can do sql injection without single quote, like my PoC. |
okay, i'll do some research first. |
This is CVE-2017-6065. |
@semplon What release or commit fixes this vulnerability? |
aahh sorry again, i think i miss this issue. |
@semplon Could you create new release when you have completely fixed this vulnerability, thanks? |
@fgeek sure, i'm still checking another bug. |
Hello @fgeek, @superfish9 since You had contribute to GeniXCMS, I'll send You JetBrains Opensource License for You. Please provide me with Your email so I can send it to You. Thanks |
@semplon Thank you for the offer, but not needed. I'm just here to make the internet more safer place for everyone and improve the quality of GeniX. |
okay @fgeek, i'am really appreciate all your hard work to make GeniX more secure. Thank You |
inc/lib/Control/Backend/menus.control.php(line 377):
The updateMenuOrder function in inc/lib/Menus.class.php(line 364):
The update function in inc/lib/Db.class.php(line 322):
We'll find that the "$key" in $set .= "
$key
= '$val',"; isn't be filtered, which leads to SQL injection.PoC:
http://127.0.0.1/genixcms100/gxadmin/index.php?page=menus
POST parameters:
Don't forget to get a token first.
The text was updated successfully, but these errors were encountered: