[pLog-svn] Fwd: LifeType <= 1.0.4 'articleId' SQL injection

Sat Jun 3 22:48:50 GMT 2006

I am currently working on it, and yes, there are plenty more like  
this (even though some of them are more convoluted, but perfectly  
possible given some time) For whatever reason, there is no validation  
whatsoever in any of our xxxAction classes. And to add insult to  
injury, our current IntegerValidator class doesn't work in this kind  
of situations so I had to fix that one too.

The password doesn't only appear in the logs, but also in the HTML  
code. When I tried in my 1.0.5 instance, I could see the password  
hovering over the permalink (as if it was part of the link)

Besides, being able to get SELECT queries through probably means that  
UPDATE and INSERT queries are also possible.

I will check in my changes shortly. If everything looks good, let's  
release 1.0.5 during tomorrow as I believe that this needs a release  
asap before this gets to all security sites and channels.

On 4 Jun 2006, at 01:41, Jon Daley wrote:

> Ah, I turned on logging (turns out the slow logging isn't too bad  
> for my site, so I don't mind turning it on now)
>
>  152800 Query       SELECT a.id, a.date,
>
> a.user_id,a.blog_id,a.status,a.properties,
>                                                           
> a.num_reads, a.slug FROM articles a WHERE a.id = 9999/**/UNION/**/SEL
> ECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/*  
> AND a.blog_id = 1 AND a.status = 1
>
>
> I will probably fix this shortly.
>
>
> On Sat, 3 Jun 2006, Jon Daley wrote:
>
>> 	It doesn't work on my 1.0.4 install either, only partially.  It  
>> does get the (presumably, I didn't check) admin password (hashed)  
>> into the sql_error.log, which isn't a security risk in itself, but  
>> obviously, being able to change the SQL queries is bad.  I don't  
>> see what the /**/ stuff is doing.  Surely the articleId is  
>> validated to be an integer, so where is all that sql getting  
>> assigned to?
>>
>> On Sun, 4 Jun 2006, Oscar Renalias wrote:
>>
>>> I couldn't get the linked script to work, but this is the  
>>> interesting part of it:
>>> http://www.yourhost.com/lifetype-1.0.4/index.php? 
>>> op=ViewArticle&blogId=1&articleId=9999/**/UNION/**/SELECT/**/ 
>>> password,1,1,1,1,1,1,1/**/FROM/**/lt_users/**/WHERE/**/id=1/*
>>> Clever.
>>> On 4 Jun 2006, at 00:43, Oscar Renalias wrote:
>>>> Whoops. Our first serious SQL injection issue!
>>>> Begin forwarded message:
>>>>> From: "rgod" <zerokool_556 at hotmail.com>
>>>>> Date: 4 June 2006 00:30:31 GMT+03:00
>>>>> To: <contact at lifetype.net>
>>>>> Subject: LifeType <= 1.0.4 'articleId' SQL injection
>>>>> http://retrogod.altervista.org/lifetype_104_sql.html
>>>>> rgod
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>> **************************************
>> Jon Daley
>> http://jon.limedaley.com/
>>
>> With memory prices this low, who needs to deallocate memory?
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>
> **************************************
> Jon Daley
> http://jon.limedaley.com/
>
> Music has the uncanny ability to burrow
> its way into our spiritual bones.
> -- John Witvliet
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>