[pLog-svn] Fwd: LifeType <= 1.0.4 'articleId' SQL injection
Jon Daley
plogworld at jon.limedaley.com
Sat Jun 3 22:41:41 GMT 2006
Ah, I turned on logging (turns out the slow logging isn't too bad for my
site, so I don't mind turning it on now)
152800 Query SELECT a.id, a.date,
a.user_id,a.blog_id,a.status,a.properties,
a.num_reads,
a.slug FROM articles a WHERE a.id = 9999/**/UNION/**/SEL
ECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/* AND
a.blog_id = 1 AND a.status = 1
I will probably fix this shortly.
On Sat, 3 Jun 2006, Jon Daley wrote:
> It doesn't work on my 1.0.4 install either, only partially. It does
> get the (presumably, I didn't check) admin password (hashed) into the
> sql_error.log, which isn't a security risk in itself, but obviously, being
> able to change the SQL queries is bad. I don't see what the /**/ stuff is
> doing. Surely the articleId is validated to be an integer, so where is all
> that sql getting assigned to?
>
> On Sun, 4 Jun 2006, Oscar Renalias wrote:
>
>> I couldn't get the linked script to work, but this is the interesting part
>> of it:
>>
>> http://www.yourhost.com/lifetype-1.0.4/index.php?op=ViewArticle&blogId=1&articleId=9999/**/UNION/**/SELECT/**/password,1,1,1,1,1,1,1/**/FROM/**/lt_users/**/WHERE/**/id=1/*
>>
>> Clever.
>>
>> On 4 Jun 2006, at 00:43, Oscar Renalias wrote:
>>
>>> Whoops. Our first serious SQL injection issue!
>>>
>>> Begin forwarded message:
>>>
>>>> From: "rgod" <zerokool_556 at hotmail.com>
>>>> Date: 4 June 2006 00:30:31 GMT+03:00
>>>> To: <contact at lifetype.net>
>>>> Subject: LifeType <= 1.0.4 'articleId' SQL injection
>>>>
>>>> http://retrogod.altervista.org/lifetype_104_sql.html
>>>>
>>>> rgod
>>>>
>>>
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
> **************************************
> Jon Daley
> http://jon.limedaley.com/
>
> With memory prices this low, who needs to deallocate memory?
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
**************************************
Jon Daley
http://jon.limedaley.com/
Music has the uncanny ability to burrow
its way into our spiritual bones.
-- John Witvliet
More information about the pLog-svn
mailing list