[VIM] Confirm: SimpleNews <= 1.0.0 FINAL SQL Injection Exploit
George A. Theall
theall at tenablesecurity.com
Thu May 10 14:55:46 UTC 2007
In case anyone is interested... Silentz didn't mention anything about
the vendor in his advisory (milw0rm 3886), but it comes from here:
http://chaoscontrol.org/scripts/SimpleNews/1.0.0/
The flaw is valid -- 'print.php' has this code:
$news_id = $_GET['news_id'];
$query = "SELECT * FROM simplenews_articles WHERE news_id =
'$news_id'";
$result = mysql_query($query)or die (mysql_error());
so as long as magic_quotes_gpc is disabled, as Silentz states, the
exploit should work.
SecurityFocus has a BID for this (23904) but mistakenly claims the
affected software is "SNS (Simple News System)",
http://sourceforge.net/projects/phpsns, even though (1) the version
numbers in the advisory and released by SNS don't match and (2) the
affected script doesn't exist in SNS.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list