SoftwareSecurity2014/Group 10/Code Scanning/Exploitable

Uit Werkplaats
Ga naar: navigatie, zoeken

Exploitable modules: SQL Injections

Per module one exploitable case is listed. Most other exploits in the same module depend on the same variable, or work in similar ways. The most interesting vulnerabilities are probably in the following classes: comments, filter, picture_comment_inc, picture_modify and uploadify. Since these seem to contain publicly facing parameters. (Erik: Fine to give one exploitable case per module, and go through all the modules as you do below. Note that from the perspective of an AVSV security verification, one might already stop after have found a few exploitable issues, and tick it of as a faill for this AVSV requirement.




  • album_notification line 84
    • (and 1 more)

Post parameter 'group' is directly passed into SQL query. The only check is whether it is not empty And 1 more related issues in album_notification




  • batch_manager line 65
    • (and 5 more)

Post parameter 'filter_category' is directly passed into SQL query. The only check is whether it is not empty And 6 more related issues in batch_manager




  • batch_manager_global line 61
    • (and 10 more)

Post parameter 'filter_category' is directly passed into SQL query. The only check is whether it is not empty And 10 more related issues in batch_manager




  • cat_modify line 155

Post parameter 'parent' is directly passed into SQL query. The only check is whether it is not empty




  • cat_move line 50
    • (and 1 more)

Post parameter 'selection' is directly passed into SQL query. The only check is whether it is an array




  • cat_options line 55
    • (and 7 more)

Post parameter 'cat_true' is directly passed into SQL query. The only check is whether it is an array




  • comments line 109
    • (and 6 more)

Get parameter 'cat_true' is directly passed into SQL query. The only check is whether it is an array




  • element_set_ranks line 109
    • (and 6 more)

Post parameter 'image_order' is directly passed into SQL query. The only check is whether it is not empty




  • filter.inc line 37

Get parameter 'filter' is directly passed into SQL query. The only check is whether it is not empty




  • functions_cookie_inc line 131

Cookie parameter is used unchecked in query




  • group_list line 69
    • (and 9 more)

Post parameter 'groupname' is directly passed into SQL query. The only check is whether it is not empty




  • group_perm line 59
    • (and 1 more)

Post parameter cat_true is directly passed into SQL query. The only check is whether it is an array




  • permalinks line 88
    • (and 3 more)

Post parameter 'permalink' is directly passed into SQL query. The only check is whether it is not empty




  • photos_add_direct_process_inc line 44

Post parameter 'category_id' is directly passed into SQL query. The only check is whether it is not empty




  • picture_comment_inc line 49
    • (and 3 more)

Post parameter 'author' is directly passed into SQL query. The only check is whether it is not empty




  • picture_modify line 178

Post parameter 'associate' is directly passed into SQL query. The only check is whether it is not empty




  • profile line 26

Get parameter 'user_id' is directly passed into SQL query. The only check is whether it is not empty




  • tags line 54
    • (and 10 more)

Post parameter 'edit_list' is directly passed into SQL query. This class dows specify admin only access




  • themes_installed

Get parameter 'theme' is directly passed into SQL query. The only check is whether it is not empty




  • uploadify line 68

Post parameter 'category_id' is directly passed into SQL query.