[VIM] Jemscripts DownloadControl 1.0 - at least 2 separate issues
Steven M. Christey
coley at mitre.org
Tue May 23 11:42:22 EDT 2006
Jemscripts DownloadControl 1.0 has at least 2 separate issues in the
dcid parameter to dc.php, neither of which looks like SQL injection.
Ref: BUGTRAQ:20060519 Jemscripts Download Control v1.0
http://www.securityfocus.com/archive/1/archive/1/434533/100/0/threaded
Claimed SQL injection, but the error message makes you go 'hmmm':
Warning: file(datinfo36/\'\'/module_data.dat): failed to open
stream: No such file or directory in
/homepages/examplesite/downloadcontrol/functions.php on line 130
Now in my functions.php, *around* line 130 (but not exactly), we have:
function get_module_data() {
global $module_data;
global $dcid;
$module_data=file("datafiles/".$dcid."/module_data.dat");
$module_array_size=sizeof($module_data);
for ($i=0; $i<$module_array_size; $i++) {
$module_data[$i]=trim($module_data[$i]);
}
}
and in dc.php, we have:
$dcid=$_GET['dcid'];
...
get_module_data();
So, the so-called "SQL injection" is, at best, an inability to handle
an invalid "dcid" parameter, and possibly directory traversal.
If we go a little further down dc.php, we see at least one vector for
XSS:
$fields.="<input type='hidden' name='dcid' value='$dcid'>";
This might be the vector that SECUNIA:20212 is reporting as XSS,
although "grep" suggests there might be other possibilities. I
haven't investigated.
- Steve
More information about the VIM
mailing list