[VIM] Source code VERIFY of Wordcircle SQL injection
Steven M. Christey
coley at mitre.org
Mon Jan 16 13:34:20 EST 2006
Re: CVE-2006-0205
Re: http://evuln.com/vulns/27/summary.html
Re: http://evuln.com/vulns/28/summary.html
I verified the above SQL injection issue by source inspection.
In Wordcircle 2.17, the login() method of the "user" class in
s_user.php is this:
> function login(){
>
> $security_code = md5(uniqid(rand(), true));
> $result = $GLOBALS['db']->execQuery("select user_id,first_name,last_name,email from users where email = '" . strtolower(trim(urldecode($_POST['email']))) . "' and pword = '" . strtolower(trim(urldecode($_POST['password']))) . "'");
> if(mysql_num_rows($result) > 0){
in v_login we have this:
> $url = $GLOBALS['user']->login();
and in index.php we have:
>elseif ($_GET['a'] == 'login'){
>
> include("v_login.php");
>
>}
- Steve
More information about the VIM
mailing list