[Typo3] SQL Injection
Ries van Twisk
typo3 at rvt.dds.nl
Thu Mar 3 22:27:14 CET 2005
I just tested it and it's indeed possible to do a sql injection,
I could delete a table easily use using a URL.
I’ll notify the maintainer,
Cheers,
Ries
> Taylor, Jeff wrote:
>
>> http://[UrlToLinksSection]?&no_cache=1&action=getviewcategory&category_u
>> id=1%20or%201=1
>
>
> Well. That surely results in a result containing all entries of a table
> instead of just those which aren't delted/hidden and in the correct
> category.
>
> He just adds " OR 1=1" which always evaluates to true to the WHERE
> part of the
> query.
> Every extension which isn't doing WHERE
> field=intval($GETorPOSTorPiVarsfield) or
> 'WHERE
> field="'.$GLOBALS['TYPO3_DB']->quoteStr($GETorPOSTorPiVarsfield).'" ...'
> (the later MUST get used if you compare strings)
> is affected by this bug
> (Ups. Did I do this ?)
>
> greets,
> Bernhard
--
R. van Twisk
http://www.metamorf.net
Our Typo3 enabled website: http://www.livetravelguides.com
Instand help for Typo3? irc:/irc.freenode.net/typo3
Looking for documentation? http://typo3.org/documentation/
More information about the TYPO3-english
mailing list