mysql injection

7 views
Skip to first unread message

humeniuc

unread,
Jul 20, 2007, 4:19:56 AM7/20/07
to Gelato CMS
The CMS suffers from invalid parameters validity checkout:
querys haven'tg their params escaped.
example:
in user.class.php there is a method "validateUser"

In the query
"SELECT id_user, login, password FROM ".$this->conf-
>tablePrefix."users WHERE login='".$user."' AND password='".
$password."'"

params aren't escaped, so an SQL inject attack can be performed.
after i installed a local copy, if I use for login (notice the
singlequote and wmpty password)
username : ' OR 1 #
password : ""

the resulting query would be:
SELECT id_user, login, password FROM users WHERE login='' OR 1 # AND
password=''
and i was logged in!!!

the correct query is
"SELECT id_user, login, password FROM ".$this->conf-
>tablePrefix."users WHERE login='". mysql_real_escape_string($user)."'
AND password='".mysql_real_escape_string($password)."'"


version for testing: 0.85

pecesama

unread,
Jul 22, 2007, 10:26:49 PM7/22/07
to Gelato CMS
Thanks for the report, now we have improve the security for the next
version. BTW this security issue is valid only on PHP with the
magic_quotes_gpc deactived.
Reply all
Reply to author
Forward
0 new messages