[VIM] Jemscripts DownloadControl 1.0 - at least 2 separate issues

Steven M. Christey coley at mitre.org
Tue May 23 11:42:22 EDT 2006


Jemscripts DownloadControl 1.0 has at least 2 separate issues in the
dcid parameter to dc.php, neither of which looks like SQL injection.

Ref: BUGTRAQ:20060519 Jemscripts Download Control v1.0
     http://www.securityfocus.com/archive/1/archive/1/434533/100/0/threaded

Claimed SQL injection, but the error message makes you go 'hmmm':

  Warning: file(datinfo36/\'\'/module_data.dat): failed to open
  stream: No such file or directory in
  /homepages/examplesite/downloadcontrol/functions.php on line 130

Now in my functions.php, *around* line 130 (but not exactly), we have:

  function get_module_data() {
  global $module_data;
  global $dcid;
  $module_data=file("datafiles/".$dcid."/module_data.dat");         
  $module_array_size=sizeof($module_data);                              
  for ($i=0; $i<$module_array_size; $i++) {            
  $module_data[$i]=trim($module_data[$i]);
  }
  } 

and in dc.php, we have:

  $dcid=$_GET['dcid'];

  ...

  get_module_data();



So, the so-called "SQL injection" is, at best, an inability to handle
an invalid "dcid" parameter, and possibly directory traversal.

If we go a little further down dc.php, we see at least one vector for
XSS:

  $fields.="<input type='hidden' name='dcid' value='$dcid'>";


This might be the vector that SECUNIA:20212 is reporting as XSS,
although "grep" suggests there might be other possibilities.  I
haven't investigated.


- Steve


More information about the VIM mailing list