Баг :Sort users, little bug users.php?s=xxx
Статус :Исправлено
Серьёзность :Нормальное
Репортер :MecTruy 08-10-12 16:55
Обновил :Antony 03-12-12 04:56
Версия :172
Частота :Постоянно
Пофиксено в :173
Детали :

Click this:  http://xx.com/users.php?s=users 

Normal url: http://xx.c om/users.php?m=  but if i change with .php?s=  i can search mysql tables im thinking this bug can be dangerous for future because i didin't try alot of. it's for Blind injection

For example i can list with sed_users tables

http:/ /xx.c om/users.php?s=na me

htt p://xx .com/users.php?s=id

ht tp://xx .com/users.php?s=password


2012-10-08 15:37 / Fatal error: SQL error: Unknown column 'user_users' in 'order clause'

if i try http ://xx. com/users.php?s=users like this can't find because havent user_users mysql tablo

Затронутые части :users.inc.php

История и комментарии :

08-10-12 17:09   Amro

PM отправлено репортеру :
Submission validated -> Thanks for your help !

08-10-12 17:09   Amro


There are two possible solutions:
1. Hardcode all of the columns to sort:
$user_sort = array ('name', 'regdate', 'maingrp' and etc);
if (empty($s) || !(in_array(mb_strtolower($s), $user_sort))) { $s = 'name'; }
2. Exclude ability to sort by columns important for safety:
I think enough simply forbid sort of important fields in users.inc.php replacing:
if (empty($s) || mb_strtolower($s)=='password') { $s = 'name'; } 
$forbid_sort = array('password','salt','secret','passtype','sid','lostpass');
if (empty($s) || in_array(mb_strtolower($s), $forbid_sort)) { $s = 'name'; }