[pLog-svn] Fwd: LifeType <= 1.0.4 'articleId' SQL injection

Oscar Renalias oscar at renalias.net
Sun Jun 4 09:29:51 GMT 2006


Yes, my mistake. The old integer validation class was working fine.  
What happened is that I got confused with all the action classes  
returning true in validate() as you just said. I will revert to the  
old class and try again. If everything is ok, I will release this  
today most likely.

On 4 Jun 2006, at 03:39, Jon Daley wrote:

> 	Hrm -- old email sitting in my "postponed" folder, I forget if I  
> already said this stuff.
>
> 	Yes, I agree on all of your points, though I hadn't seen that the  
> IntegerValidator wasn't working, but I was just looking at the  
> "validate" functions that always return true...
> 	And, yes, it would be nice to have a release before everyone  
> starts talking about it.
>
> On Sun, 4 Jun 2006, Oscar Renalias wrote:
>> I am currently working on it, and yes, there are plenty more like  
>> this (even though some of them are more convoluted, but perfectly  
>> possible given some time) For whatever reason, there is no  
>> validation whatsoever in any of our xxxAction classes. And to add  
>> insult to injury, our current IntegerValidator class doesn't work  
>> in this kind of situations so I had to fix that one too.
>>
>> The password doesn't only appear in the logs, but also in the HTML  
>> code. When I tried in my 1.0.5 instance, I could see the password  
>> hovering over the permalink (as if it was part of the link)
>>
>> Besides, being able to get SELECT queries through probably means  
>> that UPDATE and INSERT queries are also possible.
>>
>> I will check in my changes shortly. If everything looks good,  
>> let's release 1.0.5 during tomorrow as I believe that this needs a  
>> release asap before this gets to all security sites and channels.
>>
>> On 4 Jun 2006, at 01:41, Jon Daley wrote:
>>
>>> Ah, I turned on logging (turns out the slow logging isn't too bad  
>>> for my site, so I don't mind turning it on now)
>>> 152800 Query       SELECT a.id, a.date,
>>> a.user_id,a.blog_id,a.status,a.properties,
>>>                                                          
>>> a.num_reads, a.slug FROM articles a WHERE a.id = 9999/**/UNION/**/ 
>>> SEL
>>> ECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/*  
>>> AND a.blog_id = 1 AND a.status = 1
>>> I will probably fix this shortly.
>>> On Sat, 3 Jun 2006, Jon Daley wrote:
>>>
>>>> 	It doesn't work on my 1.0.4 install either, only partially.  It  
>>>> does get the (presumably, I didn't check) admin password  
>>>> (hashed) into the sql_error.log, which isn't a security risk in  
>>>> itself, but obviously, being able to change the SQL queries is  
>>>> bad.  I don't see what the /**/ stuff is doing.  Surely the  
>>>> articleId is validated to be an integer, so where is all that  
>>>> sql getting assigned to?
>>>> On Sun, 4 Jun 2006, Oscar Renalias wrote:
>>>>> I couldn't get the linked script to work, but this is the  
>>>>> interesting part of it:
>>>>> http://www.yourhost.com/lifetype-1.0.4/index.php? 
>>>>> op=ViewArticle&blogId=1&articleId=9999/**/UNION/**/SELECT/**/ 
>>>>> password,1,1,1,1,1,1,1/**/FROM/**/lt_users/**/WHERE/**/id=1/*
>>>>> Clever.
>>>>> On 4 Jun 2006, at 00:43, Oscar Renalias wrote:
>>>>>> Whoops. Our first serious SQL injection issue!
>>>>>> Begin forwarded message:
>>>>>>> From: "rgod" <zerokool_556 at hotmail.com>
>>>>>>> Date: 4 June 2006 00:30:31 GMT+03:00
>>>>>>> To: <contact at lifetype.net>
>>>>>>> Subject: LifeType <= 1.0.4 'articleId' SQL injection
>>>>>>> http://retrogod.altervista.org/lifetype_104_sql.html
>>>>>>> rgod
>>>>>> _______________________________________________
>>>>>> pLog-svn mailing list
>>>>>> pLog-svn at devel.lifetype.net
>>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.lifetype.net
>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>> **************************************
>>>> Jon Daley
>>>> http://jon.limedaley.com/
>>>> With memory prices this low, who needs to deallocate memory?
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>> **************************************
>>> Jon Daley
>>> http://jon.limedaley.com/
>>> Music has the uncanny ability to burrow
>>> its way into our spiritual bones.
>>> -- John Witvliet
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
> **************************************
> Jon Daley
> http://jon.limedaley.com/
>
> It is not an optical illusion, it just looks like one.
> -- Phil White
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>



More information about the pLog-svn mailing list