Not A Real SMF SQL Injection / Indians can't read proper English!

[deadly7]

hot off of bugtraq

I'm a developer from over at simplemachines and I do not see how this can pose an exploit? Let's examine the code piece by piece:

The code is entered at this point:
if (!is_numeric($_REQUEST['start']))

So, will be executed if $_REQUEST['start'] is a string. It's then used in the query. However, it's used in the query in this piece of code:

substr(strtolower($_REQUEST['start']), 0, 1)

So, the string is set to lower case, and then only the FIRST letter is used within the query. How can anyone exploit the database with a one character insertion? Of course this is within single quotes as well, so it cannot even be a command.

I simply cannot see how you could possibly exploit SQL from this?

[deadly7]

-.- moved to security

[Newby]

Did you even read it? It says "how can you exploit w/ one character?" :P

[Sidoh]

So they're saying its not a bug and there's nothing to worry about?

Whoopie?

[deadly7]

Did you even read it? It says "how can you exploit w/ one character?" :P

I only read the SQL/PHP part of it.
Fine, I'll fix the topic title so it says "Not a real SMF SQL Injection"...

@Sidoh: This was posted on multiple sites, including SMF's own, as a SQL Injection.  I showed it to Newby the day we were "hacked".

Edit: Gross, typo.

[Sidoh]

I only read the SQL/PHP part of it.
Fine, I'll fix the topic title so it says "Not a real SMF SQL Injection"...

@Sidoh: This was posted on multiple sites, including SMF's own, as a SQL Injection.  I showed it to Newby the day we were "hacked".

Edit: Gross, typo.

It's not even worth posting, though.  It's not even an exploit if you can't do anything to it. :P

[Newby]

I love my new title and the new location. <3 deadly, you made my dream come true.

[iago]

Incidentally, you never know when something you don't think could possibly be exploitable is exploited in a really clever way.  It's happened time and time again.  Even really stupid things shouldn't be discounted.