Please disregard the 'View article...' shown at the bottom of many posts as this is the result of restoring old forum posts from a backup.
Maybe potential SQL injection
I found two potential SQL injections.
0x1 > framework/modules/eaas/controllers/eaasController.php , $key can becontrolled. And in the line 33 of framework/core/models/expConfig.php,$this->location_data can be controlled and injected. It is possible to boolean-based blind SQL Inject by the param of apikey.
[Suggest Fix]: parent::__construct($db->selectValue($this->table, 'id', "location_data='".expString::escape($this->location_data)."'"));
0x2. In the function activate_address of the file framework/modules/addressbook/controllers/addressController.php, $this->params['is_what'] can be controlled and injected. It is possible to do time-based SQL inject by the param 'is_what'.
Although there is expString::escape filter, it can be bypass like is_what= "firstname=0x61 where sleep(10)-- a".
[Suggest Fix]: $is_what should be existed columns ;
Sorry, the previous one is down. I post again.
0x1 > framework/modules/eaas/controllers/eaasController.php , $key can becontrolled. And in the line 33 of framework/core/models/expConfig.php,$this->location_data can be controlled and injected. It is possible to boolean-based blind SQL Inject by the param of apikey.
[Suggest Fix]: parent::__construct($db->selectValue($this->table, 'id', "location_data='".expString::escape($this->location_data)."'"));
0x2. In the function activate_address of the file framework/modules/addressbook/controllers/addressController.php, $this->params['is_what'] can be controlled and injected. It is possible to do time-based SQL inject by the param 'is_what'.
Although there is expString::escape filter, it can be bypass like is_what= "firstname=0x61 where sleep(10)-- a".
[Suggest Fix]: $is_what should be existed columns ;
Sorry, the previous one is down. I post again.
Comments
0x1 > framework/modules/eaas/controllers/eaasController.php , $key can becontrolled. And in the line 33 of framework/core/models/expConfig.php,$this->location_data can be controlled and injected. It is possible to boolean-based blind SQL Inject by the param of apikey.
[Suggest Fix]: parent::__construct($db->selectValue($this->table, 'id', "location_data='".expString::escape($this->location_data)."'"));
0x2. In the function activate_address of the file framework/modules/addressbook/controllers/addressController.php, $this->params['is_what'] can be controlled and injected. It is possible to do time-based SQL inject by the param 'is_what'.
Although there is expString::escape filter, it can be bypass like is_what= "firstname=0x61 where sleep(10)-- a".
[Suggest Fix]: $is_what should be existed columns ;
Sorry, the previous one is down. I post again.