[pLog-svn] Fwd: LifeType <= 1.0.4 'articleId' SQL injection
Jon Daley
plogworld at jon.limedaley.com
Sun Jun 4 00:39:25 GMT 2006
Hrm -- old email sitting in my "postponed" folder, I forget if I
already said this stuff.
Yes, I agree on all of your points, though I hadn't seen that the
IntegerValidator wasn't working, but I was just looking at the "validate"
functions that always return true...
And, yes, it would be nice to have a release before everyone
starts talking about it.
On Sun, 4 Jun 2006, Oscar Renalias wrote:
> I am currently working on it, and yes, there are plenty more like this (even
> though some of them are more convoluted, but perfectly possible given some
> time) For whatever reason, there is no validation whatsoever in any of our
> xxxAction classes. And to add insult to injury, our current IntegerValidator
> class doesn't work in this kind of situations so I had to fix that one too.
>
> The password doesn't only appear in the logs, but also in the HTML code. When
> I tried in my 1.0.5 instance, I could see the password hovering over the
> permalink (as if it was part of the link)
>
> Besides, being able to get SELECT queries through probably means that UPDATE
> and INSERT queries are also possible.
>
> I will check in my changes shortly. If everything looks good, let's release
> 1.0.5 during tomorrow as I believe that this needs a release asap before this
> gets to all security sites and channels.
>
> On 4 Jun 2006, at 01:41, Jon Daley wrote:
>
>> Ah, I turned on logging (turns out the slow logging isn't too bad for my
>> site, so I don't mind turning it on now)
>>
>> 152800 Query SELECT a.id, a.date,
>>
>> a.user_id,a.blog_id,a.status,a.properties,
>> a.num_reads, a.slug
>> FROM articles a WHERE a.id = 9999/**/UNION/**/SEL
>> ECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/* AND
>> a.blog_id = 1 AND a.status = 1
>>
>>
>> I will probably fix this shortly.
>>
>>
>> On Sat, 3 Jun 2006, Jon Daley wrote:
>>
>>> It doesn't work on my 1.0.4 install either, only partially. It does
>>> get the (presumably, I didn't check) admin password (hashed) into the
>>> sql_error.log, which isn't a security risk in itself, but obviously, being
>>> able to change the SQL queries is bad. I don't see what the /**/ stuff is
>>> doing. Surely the articleId is validated to be an integer, so where is
>>> all that sql getting assigned to?
>>>
>>> On Sun, 4 Jun 2006, Oscar Renalias wrote:
>>>
>>>> I couldn't get the linked script to work, but this is the interesting
>>>> part of it:
>>>> http://www.yourhost.com/lifetype-1.0.4/index.php?op=ViewArticle&blogId=1&articleId=9999/**/UNION/**/SELECT/**/password,1,1,1,1,1,1,1/**/FROM/**/lt_users/**/WHERE/**/id=1/*
>>>> Clever.
>>>> On 4 Jun 2006, at 00:43, Oscar Renalias wrote:
>>>>> Whoops. Our first serious SQL injection issue!
>>>>> Begin forwarded message:
>>>>>> From: "rgod" <zerokool_556 at hotmail.com>
>>>>>> Date: 4 June 2006 00:30:31 GMT+03:00
>>>>>> To: <contact at lifetype.net>
>>>>>> Subject: LifeType <= 1.0.4 'articleId' SQL injection
>>>>>> http://retrogod.altervista.org/lifetype_104_sql.html
>>>>>> rgod
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.lifetype.net
>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>
>>> **************************************
>>> Jon Daley
>>> http://jon.limedaley.com/
>>>
>>> With memory prices this low, who needs to deallocate memory?
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>
>>
>> **************************************
>> Jon Daley
>> http://jon.limedaley.com/
>>
>> Music has the uncanny ability to burrow
>> its way into our spiritual bones.
>> -- John Witvliet
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
**************************************
Jon Daley
http://jon.limedaley.com/
It is not an optical illusion, it just looks like one.
-- Phil White
More information about the pLog-svn
mailing list