Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple SQLI caused by functions in Posts.class.php #67

Closed
Xyntax opened this issue Jan 14, 2017 · 0 comments
Closed

Multiple SQLI caused by functions in Posts.class.php #67

Xyntax opened this issue Jan 14, 2017 · 0 comments

Comments

@Xyntax
Copy link

Xyntax commented Jan 14, 2017

Source

https://github.com/semplon/GeniXCMS/blob/master/inc/lib/Posts.class.php#L313

Functions getParam(), delParam() and existParam() do not filter any incoming parameters, resulting in many SQL injections.

Here is an example.

public static function editParam($param, $value, $post_id)
    {
        $sql = "UPDATE `posts_param` SET `value` = '{$value}' WHERE `post_id` = '{$post_id}' AND `param` = '{$param}' ";
        $q = Db::query($sql);
        if ($q) {
            return true;
        } else {
            return false;
        }
    }

Injection 1

pages.control.php line 165

if (Posts::existParam('multilang', $_GET['id'])) {
                                Posts::editParam('multilang', $multilang, $_GET['id']);
                            } else {
                                Posts::addParam('multilang', $multilang, $_GET['id']);
                            }

Injection 2

pages_form.php line 133

$lang = Language::getLangParam($key, $_GET['id']);

then $_GET[id] is parsed into Posts::getParam at Language.class.php line 75

public static function getLangParam($lang, $post_id)
    {
        if (Posts::existParam('multilang', $post_id)) {
            $multilang = json_decode(Posts::getParam('multilang', $post_id), true);
...

Injection 3

posts_form.php line 122

if ($lang == '' || !Posts::existParam('multilang', $_GET['id'])) {

There are many similar cases, please check it later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants