on text:
- --- 1. SQL-injection in module Download ---
Given SQL-injection not critical since exploit works only under rights of the manager (mysql)
The Problem in file "modules/Downloads/dl-viewdownload.php".
- --------
if ($show!="") {
$perpage = $show;
} else {
$show=$perpage;
}
...
$result =& $dbconn->SelectLimit($sql,$perpage,$min);
- --------
varible $perpage.
$perpage at request is not checked. If substitute in parameter $show (amount element on page), for instance, "0" or "-3" or "asdf" or anything bad, importance will not is checked
Decision:
Install the new version PostNuke 0.760 Если you do not be going to to move to version 0.760, that decision following:
in file dl-viewdownload.php, in function viewdownload(), viewsdownload() copy code:
if ($show!="") {
$perpage = $show;
} else {
$show=$perpage;
on following code
if ( (isset($show)) && is_numeric($show) && ($show >= 0) ) {
$perpage = $show;
} else {
$show = $perpage;
}
In the event of invalid parameter will is issued importance by default, taken from deskside (thanks TAndrew)
or following decision - in file dl-viewdownload.php, in function viewdownload(), viewsdownload() copy code
$result =& $dbconn->SelectLimit($sql,$perpage,$min);
change on
$result =& $dbconn->SelectLimit($sql,(int)$perpage,(int)$min);
Empty page will is issued In the event of invalid parameter
13160