[pLog-svn] Fwd: LifeType <= 1.0.4 'articleId' SQL injection
Mark Wu
markplace at gmail.com
Mon Jun 5 05:25:32 GMT 2006
Hi Oscar:
Just see this.
So, the new validation rules works, we don't need to revert to the old one
right?
I am a little bit confused.
Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of
> Oscar Renalias
> Sent: Sunday, June 04, 2006 5:30 PM
> To: plog-svn at devel.lifetype.net
> Subject: Re: [pLog-svn] Fwd: LifeType <= 1.0.4 'articleId'
> SQL injection
>
> Yes, my mistake. The old integer validation class was working fine.
> What happened is that I got confused with all the action
> classes returning true in validate() as you just said. I will
> revert to the old class and try again. If everything is ok, I
> will release this today most likely.
>
> On 4 Jun 2006, at 03:39, Jon Daley wrote:
>
> > Hrm -- old email sitting in my "postponed" folder, I
> forget if I
> > already said this stuff.
> >
> > Yes, I agree on all of your points, though I hadn't
> seen that the
> > IntegerValidator wasn't working, but I was just looking at the
> > "validate" functions that always return true...
> > And, yes, it would be nice to have a release before
> everyone starts
> > talking about it.
> >
> > On Sun, 4 Jun 2006, Oscar Renalias wrote:
> >> I am currently working on it, and yes, there are plenty more like
> >> this (even though some of them are more convoluted, but perfectly
> >> possible given some time) For whatever reason, there is no
> validation
> >> whatsoever in any of our xxxAction classes. And to add insult to
> >> injury, our current IntegerValidator class doesn't work in
> this kind
> >> of situations so I had to fix that one too.
> >>
> >> The password doesn't only appear in the logs, but also in the HTML
> >> code. When I tried in my 1.0.5 instance, I could see the password
> >> hovering over the permalink (as if it was part of the link)
> >>
> >> Besides, being able to get SELECT queries through probably
> means that
> >> UPDATE and INSERT queries are also possible.
> >>
> >> I will check in my changes shortly. If everything looks
> good, let's
> >> release 1.0.5 during tomorrow as I believe that this needs
> a release
> >> asap before this gets to all security sites and channels.
> >>
> >> On 4 Jun 2006, at 01:41, Jon Daley wrote:
> >>
> >>> Ah, I turned on logging (turns out the slow logging isn't too bad
> >>> for my site, so I don't mind turning it on now)
> >>> 152800 Query SELECT a.id, a.date,
> >>> a.user_id,a.blog_id,a.status,a.properties,
> >>>
> >>> a.num_reads, a.slug FROM articles a WHERE a.id =
> 9999/**/UNION/**/
> >>> SEL
> >>> ECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/*
> >>> AND a.blog_id = 1 AND a.status = 1
> >>> I will probably fix this shortly.
> >>> On Sat, 3 Jun 2006, Jon Daley wrote:
> >>>
> >>>> It doesn't work on my 1.0.4 install either, only partially. It
> >>>> does get the (presumably, I didn't check) admin password
> >>>> (hashed) into the sql_error.log, which isn't a security risk in
> >>>> itself, but obviously, being able to change the SQL
> queries is bad.
> >>>> I don't see what the /**/ stuff is doing. Surely the
> articleId is
> >>>> validated to be an integer, so where is all that sql getting
> >>>> assigned to?
> >>>> On Sun, 4 Jun 2006, Oscar Renalias wrote:
> >>>>> I couldn't get the linked script to work, but this is the
> >>>>> interesting part of it:
> >>>>> http://www.yourhost.com/lifetype-1.0.4/index.php?
> >>>>> op=ViewArticle&blogId=1&articleId=9999/**/UNION/**/SELECT/**/
> >>>>> password,1,1,1,1,1,1,1/**/FROM/**/lt_users/**/WHERE/**/id=1/*
> >>>>> Clever.
> >>>>> On 4 Jun 2006, at 00:43, Oscar Renalias wrote:
> >>>>>> Whoops. Our first serious SQL injection issue!
> >>>>>> Begin forwarded message:
> >>>>>>> From: "rgod" <zerokool_556 at hotmail.com>
> >>>>>>> Date: 4 June 2006 00:30:31 GMT+03:00
> >>>>>>> To: <contact at lifetype.net>
> >>>>>>> Subject: LifeType <= 1.0.4 'articleId' SQL injection
> >>>>>>> http://retrogod.altervista.org/lifetype_104_sql.html
> >>>>>>> rgod
> >>>>>> _______________________________________________
> >>>>>> pLog-svn mailing list
> >>>>>> pLog-svn at devel.lifetype.net
> >>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>>>> _______________________________________________
> >>>>> pLog-svn mailing list
> >>>>> pLog-svn at devel.lifetype.net
> >>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>>> **************************************
> >>>> Jon Daley
> >>>> http://jon.limedaley.com/
> >>>> With memory prices this low, who needs to deallocate memory?
> >>>> _______________________________________________
> >>>> pLog-svn mailing list
> >>>> pLog-svn at devel.lifetype.net
> >>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>> **************************************
> >>> Jon Daley
> >>> http://jon.limedaley.com/
> >>> Music has the uncanny ability to burrow its way into our
> spiritual
> >>> bones.
> >>> -- John Witvliet
> >>> _______________________________________________
> >>> pLog-svn mailing list
> >>> pLog-svn at devel.lifetype.net
> >>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >
> > **************************************
> > Jon Daley
> > http://jon.limedaley.com/
> >
> > It is not an optical illusion, it just looks like one.
> > -- Phil White
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://devel.lifetype.net/mailman/listinfo/plog-svn
> >
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list