[VIM] Source verify and clarification of old bookmark4u SQL injection

[Steven M. Christey]

Ref: FULLDISC:20060420 Sql Injection in BookMark4u
URL: http://marc.theaimsgroup.com/?l=full-disclosure&m=114555163911635&w=2

1) This is abandonware.  Last version was in 2003 and site says "This
   Project will NOT be updated ANY MORE."  See:
   http://sourceforge.net/project/showfiles.php?group_id=29784

2) Some VDB's mention the "mode" parameter being affected, but this
   appears erroneous.  Only mentions of $mode in config.php are:

        $mode   = $HTTP_POST_VARS[mode];
        ...
        if ($mode == 'sqlexec') {

3) sqlcmd vector verified by source inspection:

         $sqlcmd = $HTTP_POST_VARS[sqlcmd];
   ...
   if ($mode == 'sqlexec') {
     if (get_magic_quotes_gpc()) {
       $sqlcmd = ereg_replace("\\\\", "", $sqlcmd);
     }
     $qry = ereg_replace("%NL%", "\n", $sqlcmd); # decode newline(\n) chars
     ...
     $qry_list = explode(";", $qry); # split multiple queries
     for ($i = 0; $i < sizeof($qry_list); $i++) {
       $qry_one = trim($qry_list[$i]);
       if (!$qry_one) continue;
       $adminMgr->executeMiscQuery($qry_one);

   You know the rest.  Bill H will no doubt love the "%NL%" touch.

   At first glance, this didn't seem to require authentication or
   authorization, but I didn't look too close.

4) As might be expected for ancient PHP code, be careful when you look
   at the source, or you might step in some RFI.


- Steve