[VIM] Fwd: SQL injection (x2) in NukeSentinel

GM darkfig gmdarkfig at gmail.com
Sat Mar 31 12:55:25 UTC 2007


NukeSentinel 2.5.05:
Code: if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})",
$nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; }
Results: File Disclosure (with a nice sql injection) + SQL Injection
(includes/nsbypass.php)

NukeSentinel 2.5.06 (they added ^ but they forgot to add $):
Code: if(!ereg("^([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})",
$nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; }
Results: SQL Injection (includes/nukesentinel.php / includes/nsbypass.php)

NukeSentinel 2.5.07 (includes/nukesentinel.php corrected):
Code:
if(!ereg("^([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})$",
$nsnst_const['remote_ip'])) { $nsnst_const['remote_ip'] = "none"; }

There is always the SQL Injection in includes/nsbypass.php.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.attrition.org/pipermail/vim/attachments/20070331/cfaa572a/attachment.html 


More information about the VIM mailing list