SoftwareSecurity2014/Group 10/Code Scanning/Exploitable
Exploitable modules: SQL Injections
Per module one exploitable case is listed. Most other exploits in the same module depend on the same variable, or work in similar ways. The most interesting vulnerabilities are probably in the following classes: comments, filter, picture_comment_inc, picture_modify and uploadify. Since these seem to contain publicly facing parameters. (Erik: Fine to give one exploitable case per module, and go through all the modules as you do below. Note that from the perspective of an AVSV security verification, one might already stop after have found a few exploitable issues, and tick it of as a faill for this AVSV requirement.
- album_notification line 84
- (and 1 more)
Post parameter 'group' is directly passed into SQL query. The only check is whether it is not empty And 1 more related issues in album_notification
- batch_manager line 65
- (and 5 more)
Post parameter 'filter_category' is directly passed into SQL query. The only check is whether it is not empty And 6 more related issues in batch_manager
- batch_manager_global line 61
- (and 10 more)
Post parameter 'filter_category' is directly passed into SQL query. The only check is whether it is not empty And 10 more related issues in batch_manager
- cat_modify line 155
Post parameter 'parent' is directly passed into SQL query. The only check is whether it is not empty
- cat_move line 50
- (and 1 more)
Post parameter 'selection' is directly passed into SQL query. The only check is whether it is an array
- cat_options line 55
- (and 7 more)
Post parameter 'cat_true' is directly passed into SQL query. The only check is whether it is an array
- comments line 109
- (and 6 more)
Get parameter 'cat_true' is directly passed into SQL query. The only check is whether it is an array
- element_set_ranks line 109
- (and 6 more)
Post parameter 'image_order' is directly passed into SQL query. The only check is whether it is not empty
- filter.inc line 37
Get parameter 'filter' is directly passed into SQL query. The only check is whether it is not empty
- functions_cookie_inc line 131
Cookie parameter is used unchecked in query
- group_list line 69
- (and 9 more)
Post parameter 'groupname' is directly passed into SQL query. The only check is whether it is not empty
- group_perm line 59
- (and 1 more)
Post parameter cat_true is directly passed into SQL query. The only check is whether it is an array
- permalinks line 88
- (and 3 more)
Post parameter 'permalink' is directly passed into SQL query. The only check is whether it is not empty
- photos_add_direct_process_inc line 44
Post parameter 'category_id' is directly passed into SQL query. The only check is whether it is not empty
- picture_comment_inc line 49
- (and 3 more)
Post parameter 'author' is directly passed into SQL query. The only check is whether it is not empty
- picture_modify line 178
Post parameter 'associate' is directly passed into SQL query. The only check is whether it is not empty
- profile line 26
Get parameter 'user_id' is directly passed into SQL query. The only check is whether it is not empty
- tags line 54
- (and 10 more)
Post parameter 'edit_list' is directly passed into SQL query. This class dows specify admin only access
- themes_installed
Get parameter 'theme' is directly passed into SQL query. The only check is whether it is not empty
- uploadify line 68
Post parameter 'category_id' is directly passed into SQL query.