hot off of bugtraq
QuoteI'm a developer from over at simplemachines and I do not see how this can pose an exploit? Let's examine the code piece by piece:
The code is entered at this point:
if (!is_numeric($_REQUEST['start']))
So, will be executed if $_REQUEST['start'] is a string. It's then used in the query. However, it's used in the query in this piece of code:
substr(strtolower($_REQUEST['start']), 0, 1)
So, the string is set to lower case, and then only the FIRST letter is used within the query. How can anyone exploit the database with a one character insertion? Of course this is within single quotes as well, so it cannot even be a command.
I simply cannot see how you could possibly exploit SQL from this?
-.- moved to security
Did you even read it? It says "how can you exploit w/ one character?" :P
So they're saying its not a bug and there's nothing to worry about?
Whoopie?
Quote from: Newby on December 11, 2005, 09:03:15 PM
Did you even read it? It says "how can you exploit w/ one character?" :P
I only read the SQL/PHP part of it.
Fine, I'll fix the topic title so it says "Not a real SMF SQL Injection"...
@Sidoh: This was posted on multiple sites, including SMF's own, as a SQL Injection. I showed it to Newby the day we were "hacked".
Edit: Gross, typo.
Quote from: deadly7 on December 11, 2005, 09:12:01 PM
I only read the SQL/PHP part of it.
Fine, I'll fix the topic title so it says "Not a real SMF SQL Injection"...
@Sidoh: This was posted on multiple sites, including SMF's own, as a SQL Injection. I showed it to Newby the day we were "hacked".
Edit: Gross, typo.
It's not even worth posting, though. It's not even an exploit if you can't do anything to it. :P
I love my new title and the new location. <3 deadly, you made my dream come true.
Incidentally, you never know when something you don't think could possibly be exploitable is exploited in a really clever way. It's happened time and time again. Even really stupid things shouldn't be discounted.