[pLog-svn] Fwd: LifeType <= 1.0.4 'articleId' SQL injection

Jon Daley plogworld at jon.limedaley.com
Sun Jun 4 00:39:25 GMT 2006 

 	Hrm -- old email sitting in my "postponed" folder, I forget if I 
already said this stuff.

 	Yes, I agree on all of your points, though I hadn't seen that the 
IntegerValidator wasn't working, but I was just looking at the "validate" 
functions that always return true...
 	And, yes, it would be nice to have a release before everyone 
starts talking about it.

On Sun, 4 Jun 2006, Oscar Renalias wrote:
> I am currently working on it, and yes, there are plenty more like this (even 
> though some of them are more convoluted, but perfectly possible given some 
> time) For whatever reason, there is no validation whatsoever in any of our 
> xxxAction classes. And to add insult to injury, our current IntegerValidator 
> class doesn't work in this kind of situations so I had to fix that one too.
>
> The password doesn't only appear in the logs, but also in the HTML code. When 
> I tried in my 1.0.5 instance, I could see the password hovering over the 
> permalink (as if it was part of the link)
>
> Besides, being able to get SELECT queries through probably means that UPDATE 
> and INSERT queries are also possible.
>
> I will check in my changes shortly. If everything looks good, let's release 
> 1.0.5 during tomorrow as I believe that this needs a release asap before this 
> gets to all security sites and channels.
>
> On 4 Jun 2006, at 01:41, Jon Daley wrote:
>
>> Ah, I turned on logging (turns out the slow logging isn't too bad for my 
>> site, so I don't mind turning it on now)
>> 
>> 152800 Query       SELECT a.id, a.date,
>> 
>> a.user_id,a.blog_id,a.status,a.properties,
>>                                                         a.num_reads, a.slug 
>> FROM articles a WHERE a.id = 9999/**/UNION/**/SEL
>> ECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/* AND 
>> a.blog_id = 1 AND a.status = 1
>> 
>> 
>> I will probably fix this shortly.
>> 
>> 
>> On Sat, 3 Jun 2006, Jon Daley wrote:
>>
>>> 	It doesn't work on my 1.0.4 install either, only partially.  It does 
>>> get the (presumably, I didn't check) admin password (hashed) into the 
>>> sql_error.log, which isn't a security risk in itself, but obviously, being 
>>> able to change the SQL queries is bad.  I don't see what the /**/ stuff is 
>>> doing.  Surely the articleId is validated to be an integer, so where is 
>>> all that sql getting assigned to?
>>> 
>>> On Sun, 4 Jun 2006, Oscar Renalias wrote:
>>> 
>>>> I couldn't get the linked script to work, but this is the interesting 
>>>> part of it:
>>>> http://www.yourhost.com/lifetype-1.0.4/index.php?op=ViewArticle&blogId=1&articleId=9999/**/UNION/**/SELECT/**/password,1,1,1,1,1,1,1/**/FROM/**/lt_users/**/WHERE/**/id=1/*
>>>> Clever.
>>>> On 4 Jun 2006, at 00:43, Oscar Renalias wrote:
>>>>> Whoops. Our first serious SQL injection issue!
>>>>> Begin forwarded message:
>>>>>> From: "rgod" <zerokool_556 at hotmail.com>
>>>>>> Date: 4 June 2006 00:30:31 GMT+03:00
>>>>>> To: <contact at lifetype.net>
>>>>>> Subject: LifeType <= 1.0.4 'articleId' SQL injection
>>>>>> http://retrogod.altervista.org/lifetype_104_sql.html
>>>>>> rgod
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.lifetype.net
>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>> 
>>> **************************************
>>> Jon Daley
>>> http://jon.limedaley.com/
>>> 
>>> With memory prices this low, who needs to deallocate memory?
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>> 
>> 
>> **************************************
>> Jon Daley
>> http://jon.limedaley.com/
>> 
>> Music has the uncanny ability to burrow
>> its way into our spiritual bones.
>> -- John Witvliet
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>> 
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn

**************************************
Jon Daley
http://jon.limedaley.com/

It is not an optical illusion, it just looks like one.
-- Phil White

More information about the pLog-svn mailing list