Bravo List
Register
Go Back   > Bravo List > Source Code > Archived Trackers > Yuna Scatari Edition (YSE)
Reply
  #1  
Old 20th August 2008, 12:15
kp380lv's Avatar
kp380lv kp380lv is offline
Senior Member
 
Join Date: May 2008
Latvia
Posts: 388
Exclamation A little bug-fix in rss.php (potential SQL-injection)
For YSE PRE 6 but Also working for BoLaMns PRE 7

Open rss.php and substitute:

Replace This:

Code:
$user = mysql_fetch_row(sql_query("SELECT COUNT(*) FROM users WHERE passkey = '$passkey'"));
With this:

Code:
$user = mysql_fetch_row(sql_query("SELECT COUNT(*) FROM users WHERE passkey = ".sqlesc($passkey)));
Vulnerability type SQL-injection, but because of the complexity of the application - rather than dangerous.
Reply With Quote
Reply

Tags
bugfix , potential , rssphp , sqlinjection

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT +2. The time now is 10:02. vBulletin skin by ForumMonkeys. Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.