Open qmss opened 2 years ago
ridorido
commented
2 years ago Thank you for your reporting. By the way we don't develop slims8akasia project anymore. Now, we already moved to Slims 9 with code name Bulian. Please visit our new project in here https://github.com/slims/slims9_bulian/releases
qmss
commented
2 years ago Thank you for your reporting. By the way we don't develop slims8akasia project anymore. Now, we already moved to Slims 9 with code name Bulian. Please visit our new project in here https://github.com/slims/slims9_bulian/releases
Okay, I already understand. Still hope to fix the vulnerabilities in this version.
Hello, I found some serious bugs in Slims8 Akasia 8.3.1 (latest version). First of all, there is a SQL injection bug. This injection exists in multiple files, and the file where the search keyword $_GET['dir'] is located all has SQL injection. url:http://localhost/admin/modules/bibliography/index.php?itemID=17&detail=true&ajaxload=1&datatablefld=ISBN%2FISSN&dir=asc
// change the record sorting if there fld var in URL $_fld_sort = $this->table_ID.'fld'; $_dir = 'ASC'; $_next_dir = 'DESC'; $_sort_dir_info = __('ascendingly'); if (isset($_GET[$_fld_sort]) AND !empty($_GET[$_fld_sort])) { $this->sql_order = 'ORDER BY'.urldecode($_GET[$_fld_sort]).''; // record order direction if (isset($_GET['dir']) AND ($_dir = trim($_GET['dir']))) { if ($_dir == 'DESC') { $_next_dir = 'ASC'; } else { $_next_dir = 'DESC'; $_sort_dir_info = __('descendingly'); } // append sort direction $this->sql_order .= $_dir; } }You have escaped the dir string. But in fact it just appends a backslash \ before', "or . Reference from PHP mysql_real_escape_string Therefore, if my GET variable dir does not contain these characters, sql injection will be triggered. SQL injection demonstrationdir=-test() //When the data table test does not exist, the database name is returned. slims.testSQL injection demonstrationdir=-user() //When the data table user exists, it returns to the normal page.Example: http://localhost/admin/modules/bibliography/index.php?itemID=17&detail=true&ajaxload=1&datatablefld=ISBN%2FISSN&dir=-a()
List some pages with SQL injection:
http://localhost/admin/modules/bibliography/index.php?itemID=17&detail=true&ajaxload=1&datatablefld=ISBN%2FISSN&dir=-test() http://localhost/admin/modules/membership/member_type.php?ajaxload=1&datatablefld=Loan+Limit&dir=DESC http://localhost/admin/modules/system/user_group.php?keywords=&datatablefld=Group+Name&dir=DESC http://localhost/admin/modules/membership/index.php?datatablefld=Member+ID&dir=DESC