[VIM] [fwd] [Full-disclosure] SmartSiteCMS v1.0 authentication bypass -- Source Verification/Correction + more vulns

Heinbockel, Bill heinbockel at mitre.org
Fri Sep 29 13:41:26 EDT 2006

>Also, any place SQL is used looks like it's prone to sql 
>injection. This
>particular one also has XSS (not a result of SQL errors)... (not sure
>the real risk from sql injection in against() as I haven't seen that
>before, but this is just an example of a few I saw):
> search.php
>     $searchString = $_POST['searchString'];
>     [snip]
>    <input type="text" class="adminInput" style="width: 250px"
>name="searchString" value="<? echo $searchString ?>">
>     [snip]
>     $result = mysql_query("select itemName, match(itemName, itemBody,
>itemDesc) against('$searchString') as relevance from item where
>match(itemName, itemBody, itemDesc) against('$searchString')",$db);

Just a brief comment on the MySQL "MATCH ... AGAINST" syntax.
This is used for text search against a MyISAM table with FULLTEXT
So, in the above query, the user is searching the itemName and
itemBody columns for the strings specified by $searchString.

In this case, SQL injection is possible since the attacker can escape
out of the AGAINST clause. Overall, AGAINST is similar to the GROUP BY
and ORDER BY SQL clauses, if an attacker can't escape out of them, they
are limited to only binary guesses. E.g., if this IF statement holds,
the data is sorted ASC, otherwise DESC.

William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org

More information about the VIM mailing list