flatCore / flatCore-CMS

flatCore is a Web Content Management System (CMS) based on PHP and MySQL/SQLite.
https://flatcore.org
GNU General Public License v3.0
50 stars 16 forks source link

Fixed SQL Injection on user.list.php #37

Closed harupu closed 7 years ago

harupu commented 7 years ago

Description Search filter on http://[server name]/[base path]/acp/acp.php?tn=user&sub=list allows user to inject malicious SQL sentence. Fixed by using bind param.

Reproduce

  1. Go to http://[server name]/[base path]/acp/acp.php?tn=user&sub=list
  2. Input test') or 1=1 union select (select tbl_name from sqlite_master limit 1),2,3,4,5,6,7,8-- into Filter input field. 2017-09-18 0 22 30
  3. Hit return key
  4. You can see the user which has ID:fc_user like below. fc_user is a result of select tbl_name from sqlite_master limit 1. 2017-09-18 0 25 34
patkon commented 7 years ago

Thank you!