CMS DLE + uLogin. Module errors

Introduction

A month ago, when I was working with DLE and the uLogin module, I noticed that the module contained a suspiciously simple incoming data check and decided to check it.

My suspicions were confirmed.

Details

The main mistake is that almost all incoming data is not filtered at all, there is only a quoting escort function. But this is not enough for CMS DLE.
')
The login is made up of the name and surname, but nothing bothers us in social. network or when filling in additional data specify spec. characters, for example, single quotes.

The screenshot showed SQL error when trying to change the rating of the news.


Only due to the fact that there is a restriction of the name field (40 characters) in the dle_users table, SQL injection cannot be performed.
But we already know the prefix of the tables.

You can also arrange an XSS attack, because Name and surname information is stored in the fullname field, which has a limit of 100 characters.



Thanks to this error, you can embed a banal alert or connect a js file.

On the same day, when I discovered this error, I sent a notification to those. uLogin support, but so far nothing has changed ...