Fix SQL Injection and XSS vulnerability - woohoo our first 0-day exploit!

http://inj3ct0r.com/exploits/12613
http://packetstorm.linuxsecurity.com/1006-exploits/fairinabox-sqlxss.txt
This commit is contained in:
james 2010-06-23 05:07:57 +00:00
parent b7f3274543
commit dc63df156c

View File

@ -4,7 +4,7 @@
SFIAB Website: http://www.sfiab.ca
Copyright (C) 2005 Sci-Tech Ontario Inc <info@scitechontario.org>
Copyright (C) 2005 James Grant <james@lightbox.org>
Copyright (C) 2005-2010 James Grant <james@lightbox.org>
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public
@ -33,18 +33,26 @@ if($_POST['edit']) $edit=$_POST['edit'];
if($_GET['action']) $action=$_GET['action'];
if($_POST['action']) $action=$_POST['action'];
if($_GET['year'] && $_GET['type'])
{
if($_GET['year'] && $_GET['type']) {
$year=intval($_GET['year']);
$type=$_GET['type'];
$show_unawarded_awards="no";
$show_unawarded_prizes="no";
echo "<h2>".i18n("%1 %2 Award Winners",array($_GET['year'],$_GET['type']))."</h2>";
$year=$_GET['year'];
$typeq=mysql_query("SELECT * FROM award_types WHERE type='".mysql_real_escape_string($type)."' AND year=$year");
if(!mysql_num_rows($typeq)) {
echo error(i18n("Invalid award type"));
send_footer();
exit;
}
echo "<h2>".i18n("%1 %2 Award Winners",array($year,$type))."</h2>";
$ok=true;
//first, lets make sure someone isnt tryint to see something that they arent allowed to!
//but only if the year they want is the FAIRYEAR. If they want a past year, thats cool
if($_GET['year']>=$config['FAIRYEAR']) {
if($year>=$config['FAIRYEAR']) {
$q=mysql_query("SELECT (NOW()>'".$config['dates']['postwinners']."') AS test");
$r=mysql_fetch_object($q);
if($r->test!=1)
@ -54,8 +62,7 @@ if($_GET['year'] && $_GET['type'])
}
}
if($ok)
{
if($ok) {
$q=mysql_query("SELECT
award_awards.id,
@ -68,19 +75,17 @@ if($_GET['year'] && $_GET['type'])
WHERE
award_awards.year='$year'
AND award_awards.award_types_id=award_types.id
AND award_types.type='".$_GET['type']."'
AND award_types.type='".$type."'
AND award_types.year='$year'
ORDER BY
awards_order");
echo mysql_error();
if(mysql_num_rows($q))
{
if(mysql_num_rows($q)) {
echo "<a href=\"winners.php\">".i18n("Back to Winners main page")."</a>";
echo "<br />";
while($r=mysql_fetch_object($q))
{
while($r=mysql_fetch_object($q)) {
$pq=mysql_query("SELECT
award_prizes.prize,
award_prizes.number,
@ -102,37 +107,31 @@ if($_GET['year'] && $_GET['type'])
`order`");
echo mysql_error();
$awarded_count = 0;
if($show_unawarded_awards=="no")
{
while($pr=mysql_fetch_object($pq))
{
if($pr->projectnumber)
{
if($show_unawarded_awards=="no") {
if(mysql_num_rows($pq)) {
while($pr=mysql_fetch_object($pq)) {
if($pr->projectnumber) {
$awarded_count++;
}
}
mysql_data_seek($pq, 0);
}
if($show_unawarded_awards=="yes" || $awarded_count > 0)
{
}
if($show_unawarded_awards=="yes" || $awarded_count > 0) {
echo "<h3>".i18n($r->name)."</h3> \n";
}
$prevprizeid=-1;
while($pr=mysql_fetch_object($pq))
{
if(!($pr->projectnumber) && $show_unawarded_prizes=="no")
{
while($pr=mysql_fetch_object($pq)) {
if(!($pr->projectnumber) && $show_unawarded_prizes=="no") {
continue;
}
if($prevprizeid!=$pr->id)
{
if($prevprizeid!=$pr->id) {
echo "&nbsp;";
echo "&nbsp;";
echo "<b>";
echo i18n($pr->prize);
if(($pr->cash || $pr->scholarship) && $config['winners_show_prize_amounts'] == 'yes')
{
if(($pr->cash || $pr->scholarship) && $config['winners_show_prize_amounts'] == 'yes') {
echo " (";
if($pr->cash && $pr->scholarship)
echo i18n("\$%1 cash / \$%2 scholarship",array($pr->cash,$pr->scholarship),array("Cash dollar value","Scholarship dollar value"));
@ -148,8 +147,7 @@ if($_GET['year'] && $_GET['type'])
$prevprizeid=$pr->id;
}
if($pr->projectnumber)
{
if($pr->projectnumber) {
echo "&nbsp&nbsp;&nbsp;&nbsp;";
echo "($pr->projectnumber) $pr->title";
@ -171,8 +169,7 @@ if($_GET['year'] && $_GET['type'])
$studnum=0;
$students="";
$schools=array();
while($studentinfo=mysql_fetch_object($sq))
{
while($studentinfo=mysql_fetch_object($sq)) {
if($studnum>0 && $prev) $students.=", ";
if($studentinfo->webfirst=="yes")
@ -212,8 +209,7 @@ if($_GET['year'] && $_GET['type'])
echo $schoollist;
echo "<br />";
}
else
{
else {
echo "&nbsp&nbsp;&nbsp;&nbsp;";
echo i18n("Prize not awarded");
echo "<br />";
@ -240,12 +236,9 @@ else
ORDER BY
year DESC");
$first=true;
if(mysql_num_rows($q))
{
while($r=mysql_fetch_object($q))
{
if($first && $r->year != $config['FAIRYEAR'])
{
if(mysql_num_rows($q)) {
while($r=mysql_fetch_object($q)) {
if($first && $r->year != $config['FAIRYEAR']) {
list($d,$t)=split(" ",$config['dates']['postwinners']);
echo "<h2>".i18n("%1 Winners",array($config['FAIRYEAR']))."</h2>";
echo i18n("Winners of the %1 %2 will be posted here on %3 at %4",array($config['FAIRYEAR'],$config['fairname'],format_date($d),format_time($t)));
@ -274,16 +267,14 @@ else
award_types.order
");
echo mysql_error();
while($tr=mysql_fetch_object($tq))
{
while($tr=mysql_fetch_object($tq)) {
echo "&nbsp;&nbsp;<a href=\"winners.php?year=$r->year&type=$tr->type\">".i18n("%1 %2 award winners",array($r->year,$tr->type))."</a><br />";
}
echo "<br />";
$first=false;
}
}
else
{
else {
list($d,$t)=split(" ",$config['dates']['postwinners']);
echo "<h2>".i18n("%1 Winners",array($config['FAIRYEAR']))."</h2>";
echo i18n("Winners of the %1 %2 will be posted here on %3 at %4",array($config['FAIRYEAR'],$config['fairname'],format_date($d),format_time($t)));