Recent changes to bugs

MySQL INJECTION EXPLOIT

Fri, 30 Oct 2009 18:30:58 -0000

THE BUG WAS FOUND IN: func.inc.php

function F_loginUser($Username,$Password) {
global $db;
$sql = "UPDATE T_Users SET ";
$sql .= "LastLogin = now() ";
$sql .= "WHERE Username = '$Username' ";
$sql .= "AND Password = '" . md5($Password) . "' ";
$sql .= "AND Verified = 'Y'";
mysql_query($sql,$db);
if (mysql_affected_rows()>0) {
return true;

The input is not sanitized.

THE PROBLEM WITH THE CODE ABOVE IS THAT I CAN INPUT AN SQL INJECTION FOR
THE USERNAME.
SINCE YOUR CODE DOES NOT CHECK IF THE USERNAME AND PASSWORD HAS BEEN
TAMPERED WITH, MY INJECTION WILL WORK.

If a user were to use this username and password:

Username: SOME_VALID_USERNAME' OR '1'='1' AND Verified = 'Y --
Password: anything

They have a good chance in getting access into the program.

I have written a patch. It is attached.

essentially add the line: $UserName = mysql_real_escape_string($UserName);

THIS PATCH WILL HELP BECAUSE IT WILL PARSE THE MySQL INJECTION YOU USE ON
THE USERNAME. THE USERNAME WOULD THEN BE SANITIZED.

494222 patch

Goscha — Wed, 27 Apr 2005 09:24:25 -0000

Hi, I think this should solve the problem that was
reported in 494222 (there was a letter 'l' instead of
the number 1 in one of the declarations). The file
includes a difference list generated using diff.

<br>'s incorrect

Stephen Lawrence — Sun, 08 Dec 2002 21:00:05 -0000

THrought pwl5.3 any <br> tags are coded as <br />.

Left and Top edges are cut off

Stephen Lawrence — Tue, 03 Dec 2002 19:44:13 -0000

Just installed phpweblog 5.3. The upper and left side
borders of the page are cut off. I will attache a
screenshot.

SQL Syntax Error in polls.sql

Peter Gnodde — Mon, 17 Dec 2001 15:49:32 -0000

See topic for description:

Change:

Display ENUM('0','l') NOT NULL default '0',

To:

Display ENUM('0','1') NOT NULL default '0',

Posting by registered users errors

Patrick Jones — Thu, 08 Nov 2001 17:20:57 -0000

You get several errors when posting a comment as a
registered user.
1) A pop up says that "Name is a required field" even
when it is entered in the drop-down menu. Pressing ok
continues to post anyway.
2) However, the post shows up as coming from the email
address of the author, with no other user data entered.
I persume this is a problem with formcheck.inc.js, and
some other file to do with 2). It can be bypassed by
allowing people to post as anything, but this rather
removes the point of registered users somewhat.

Wrong RSS/RDF format

Anonymous — Wed, 31 Oct 2001 08:37:19 -0000

Check
http://www.oreillynet.com/pub/a/network/2000/08/25/maga
zine/rss_tut.html

the </channel> needs to be closed after the channel
info has been given, NOT after all the items have been
listed.

kill/edit/submit a comment leads to a 40

Jochen Buennagel — Wed, 03 Oct 2001 19:19:44 -0000

kill/edit/submit a comment leads to a 404 (if phpweblog is installed in www.domain.com/directory)

reason: Header("Location:$G_URL\&quot;.$where); in kill.php, edit.php, submit.php

solution: removed $G_URL\

result: works fine for me, but i don't know what it will do if installed in document-root...

Comments "on" on addon Pages

Jochen Buennagel — Mon, 01 Oct 2001 21:06:20 -0000

latest-unstable: I put the "polls" addon as a page in the page-manager and set "User Comments" to "on". Whenever I post a comment or kill one, I land at "/pages.php?node=" and get a "Page not found" error.

Poll Comments don't work correctly

Anonymous — Sun, 12 Aug 2001 23:23:54 -0000

I just checked out the latest CVS version (Aug 11,
2001) and noticed that when you try to submit a comment
on a poll question... the redirected URL is incorrect
and results in a page not found error.

I believe the cause may be the inclusion of "$self" in
the where hidden field.

------------------

By the way, it is coming along nicely!

Great Job!!