Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

a SQL injection in version 2.9.2 #804

Closed
xcold opened this issue Nov 20, 2017 · 4 comments

Comments

@xcold
Copy link

commented Nov 20, 2017

#SQL injection in version 2.9.2

in admin/tags.php

if (isset($_POST['edit_submit']))
{
  $query = 'SELECT name FROM '.TAGS_TABLE.';';
  $existing_names = array_from_query($query, 'name');
  $current_name_of = array();
  $query = '
SELECT id, name
  FROM '.TAGS_TABLE.'
  WHERE id IN ('.$_POST['edit_list'].')
;';


  $result = pwg_query($query);
  

values of the edit_list parameters are not sanitized;
these are used to construct a SQL query and retrieve a list of registered users into the application.

so post the data

@flop25

This comment has been minimized.

Copy link
Member

commented Feb 4, 2018

@uxff there is not Get/Post variable in there
come back with a poc on a new thread

@flop25 flop25 added this to the 2.9.3 milestone Feb 4, 2018
@uxff

This comment has been minimized.

Copy link

commented Feb 4, 2018

sorry, the $conf is not from client request.
very sorry.
@flop25

@flop25

This comment has been minimized.

Copy link
Member

commented Feb 4, 2018

^^ Ok Have a good day

@fgeek

This comment has been minimized.

Copy link

commented May 21, 2018

@plegall so is this false report and CVE should be asked to be rejected or?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.