I just tested it: I've created widget with (script( $aiki->membership->NewPassword(GET[ key]); )script)
And use this url http://localhost/aiki/change- password?key=or'%20or%20''=' And Aiki execute this two sql queries SELECT userid, username FROM aiki_users WHERE randkey = 'or' or ''='' UPDATE aiki_users SET password = 'd4e125523c7e3146a4e4b0b1bb04038e' WHERE randkey = 'or\' or \'\'=\'' it seams that it don't work when there are magic_quotes_gpc enabled and there are by default. ** Changed in: aikiframework Status: New => Invalid -- You received this bug notification because you are a member of Aiki Framework Admins, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/871885 Title: SQL injection in reset password key Status in Aiki Framework: Invalid Bug description: in membership.php file in function NewPassword there is $update = $db->query("update aiki_users set password = '$password' where randkey = '".$_POST['key']."'"); Is this function in use? To manage notifications about this bug go to: https://bugs.launchpad.net/aikiframework/+bug/871885/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~aikiframework.admins Post to : [email protected] Unsubscribe : https://launchpad.net/~aikiframework.admins More help : https://help.launchpad.net/ListHelp
