[VIM] Confirm: SimpleNews <= 1.0.0 FINAL SQL Injection Exploit

George A. Theall theall at tenablesecurity.com
Thu May 10 14:55:46 UTC 2007


In case anyone is interested... Silentz didn't mention anything about 
the vendor in his advisory (milw0rm 3886), but it comes from here:

   http://chaoscontrol.org/scripts/SimpleNews/1.0.0/

The flaw is valid -- 'print.php' has this code:

         $news_id = $_GET['news_id'];

         $query = "SELECT * FROM simplenews_articles WHERE news_id = 
'$news_id'";
         $result = mysql_query($query)or die (mysql_error());

so as long as magic_quotes_gpc is disabled, as Silentz states, the 
exploit should work.

SecurityFocus has a BID for this (23904) but mistakenly claims the 
affected software is "SNS (Simple News System)", 
http://sourceforge.net/projects/phpsns, even though (1) the version 
numbers in the advisory and released by SNS don't match and (2) the 
affected script doesn't exist in SNS.

George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list