Project: Github Paroxyste/Simply-Blog 20190102

Vulnerability: #9224527 (2019-01-02 06:08:03)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink @FUNCTION::mysqli_query
Risk _GET
/Simply-Blog-master/posts/post.php:23 (show/hide source)
3  require_once("../includes/database.php");
4  require_once("../includes/sessions.php");
5  require_once("../includes/functions.php");
6  
7  if(isset($_POST["submit"])) {
8  	$Name = mysqli_real_escape_string($Connection, $_POST["Name"]);
9  	$Email = mysqli_real_escape_string($Connection, $_POST["Email"]);
10  	$Comment = mysqli_real_escape_string($Connection, $_POST["Comment"]);
11  	$CurrentTime = time();
12  	$DateTime = date('d M Y', $CurrentTime);
13  	$DateTime;
14    $Author = "Laurent Echeverria";
15    $PostId = $_GET["id"];
16  
17  	if(empty($Name) || empty($Email) || empty($Comment)) {
18  		$_SESSION["ErrorMessage"] = "All Fileds Are Required !";
19  
20  	} elseif(strlen($Comment) > 160) {
21  		$_SESSION["ErrorMessage"] = "Only 160 characters are allowed in comment.";
22  	} else {
23 $PostIdFromURL = $_GET["id"];
24 $Query = "INSERT INTO comments (datetime, name, email, comment, status, admin_panel_id) 25 VALUES ('$DateTime', '$Name', '$Email', '$Comment', 'Off', '$PostIdFromURL')";
Threat level 1

Callstack:

@INLINE::/Simply-Blog-master/admin/editPost.php /Simply-Blog-master/admin/editPost.php:31 (show/hide source)
11  	$Category = mysqli_real_escape_string($Connection, $_POST["Category"]);
12    $Post = mysqli_real_escape_string($Connection, $_POST["Post"]);
13  	$CurrentTime = time();
14  	$DateTime = date('d M Y', $CurrentTime);
15  	$DateTime;
16  	$Image = $_FILES["Image"]["name"];
17  	$Target = "../assets/img/uploads/" . basename($_FILES["Image"]["name"]);
18    $SearchQueryParam = $_GET["edit"];
19  
20  	if(empty($Title) || empty($Category) || empty($Image) || empty($Post))  {
21  		$_SESSION["ErrorMessage"] = "All Fileds Are Required !";
22  		Redirect_to("editPost.php?edit={$SearchQueryParam}");
23  	} elseif(strlen($Title) < 5 || strlen($Post) < 50) {
24  		$_SESSION["ErrorMessage"] = "You must write more characters";
25  		Redirect_to("editPost.php?edit={$SearchQueryParam}");
26  	} else {
27      $EditFromURL = $_GET["edit"];
28  		$Query = "UPDATE admin_panel SET datetime='$DateTime', title='$Title', category='$Category',
29                author='$Admin', image='$Image', post='$Post' WHERE id='$EditFromURL'";
30  		
31 $Execute = mysqli_query($Connection, $Query);
32 move_uploaded_file($_FILES["Image"]["tmp_name"], $Target); 33