cotonti.com : Search SQL injection https://www.cotonti.com Последние сообщения в теме Cotonti en Wed, 15 Apr 2026 16:26:43 -0000 GHengeveld Actually this isn't really a problem. Production sites should have error reporting disabled, so it won't show the SQL error or backtrace. Nevertheless its good to report these things.

]]> чт, 22 сен 2011 17:18:24 -0000 badc0re No problem man.

]]> ср, 21 сен 2011 13:07:26 -0000 Trustmaster It's a little harm anyways and it'll be fixed in 0.9.5, thank you once again for the report!

]]> ср, 21 сен 2011 11:45:08 -0000 badc0re Take a look at 

#0  cot_diefatal(SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause')

And

GROUP BY t.ft_id ORDER BY ft_updatedINJECTED_PARAMINJECTED_PARAM ASC

It looks like sql injection to me.
]]> ср, 21 сен 2011 10:00:10 -0000 Trustmaster It is more path disclosure than SQL injection, but thank you for the report!

]]> ср, 21 сен 2011 07:34:15 -0000 badc0re #30749 esclkm:

but where was injection??? this field has ALP filter - which filter only [A-Za-z0-z_] try to inject

 

Added 2 minutes later:

Well the search is vulnerable. Try it by yourself.

Maybe it's not exploitable but it could lead to information extraction.

]]> вс, 18 сен 2011 21:36:23 -0000 esclkm but where was injection??? this field has ALP filter - which filter only [A-Za-z0-z_] try to inject

]]> вс, 18 сен 2011 19:36:40 -0000 badc0re Hi i want to report a SQL injection.

The request:

GET http://localhost/cotonti/index.php?e=search&sq=%5C'%5C'%5C'%5C'%5C'&rs%5Bsetlimit%5D=0&rs%5Bday%5D=18&rs%5Bmonth%5D=9&rs%5Byear%5D=2010&rs%5Bday%5D=18&rs%5Bmonth%5D=9&rs%5Byear%5D=2011&rs%5Bsetuser%5D=&rs%5Bpagsub%5D%5B%5D=all&rs%5Bpagtitle%5D=1&rs%5Bpagdesc%5D=1&rs%5Bpagtext%5D=1&rs%5Bpagsort%5D=date&rs%5Bpagsort2%5D=ASC&rs%5Bfrmsub%5D%5B%5D=all&rs%5Bfrmtitle%5D=1&rs%5Bfrmtext%5D=1&rs%5Bfrmsort%5D=updated'INJECTED_PARAM'INJECTED_PARAM&rs%5Bfrmsort2%5D=ASC HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://localhost/cotonti/index.php?e=search&sq=%27%27%27%27%27&rs[setlimit]=0&rs[day]=18&rs[month]=9&rs[year]=2010%271%27&rs[day]=18&rs[month]=9&rs[year]=2011&rs[setuser]=&rs[pagsub][]=all&rs[pagtitle]=1&rs[pagdesc]=1&rs[pagtext]=1&rs[pagsort]=date&rs[pagsort2]=ASC&rs[frmsub][]=all&rs[frmtitle]=1&rs[frmtext]=1&rs[frmsort]=updated&rs[frmsort2]=ASC
Cookie: PHPSESSID=bnq658i0omp7t3u654i85llj51
Content-length: 0
 
 
Result:

2011-09-18 19:03

Fatal error: SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause'

#0  cot_diefatal(SQL error 42S22: Column not found: 1054 Unknown column 'ft_updatedINJECTED_PARAMINJECTED_PARAM' in 'order clause') called at [D:\xampp2\htdocs\cotonti\system\database.php:436]
#1  CotDB->query(SELECT SQL_CALC_FOUND_ROWS p.*, t.*
			 	FROM cot_forum_posts AS p, cot_forum_topics AS t
				WHERE t.ft_cat IN ('pub','general','offtopic') AND (t.ft_title LIKE '%\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'%' OR p.fp_text LIKE '%\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'\\\\\\\'%') AND p.fp_topicid = t.ft_id
				GROUP BY t.ft_id ORDER BY ft_updatedINJECTED_PARAMINJECTED_PARAM ASC
				LIMIT 0, 50) called at [D:\xampp2\htdocs\cotonti\plugins\search\search.php:367]
#2  include(D:\xampp2\htdocs\cotonti\plugins\search\search.php) called at [D:\xampp2\htdocs\cotonti\system\plugin.php:94]
#3  require_once(D:\xampp2\htdocs\cotonti\system\plugin.php) called at [D:\xampp2\htdocs\cotonti\index.php:92]

On version 9.4
]]> вс, 18 сен 2011 19:14:03 -0000