[pLog-svn] Fwd: LifeType <= 1.0.4 'articleId' SQL injection

Mark Wu markplace at gmail.com
Mon Jun 5 05:25:32 GMT 2006 

Hi Oscar:

Just see this.

So, the new validation rules works, we don't need to revert to the old one
right?

I am a little bit confused.

Mark 

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of 
> Oscar Renalias
> Sent: Sunday, June 04, 2006 5:30 PM
> To: plog-svn at devel.lifetype.net
> Subject: Re: [pLog-svn] Fwd: LifeType <= 1.0.4 'articleId' 
> SQL injection
> 
> Yes, my mistake. The old integer validation class was working fine.  
> What happened is that I got confused with all the action 
> classes returning true in validate() as you just said. I will 
> revert to the old class and try again. If everything is ok, I 
> will release this today most likely.
> 
> On 4 Jun 2006, at 03:39, Jon Daley wrote:
> 
> > 	Hrm -- old email sitting in my "postponed" folder, I 
> forget if I 
> > already said this stuff.
> >
> > 	Yes, I agree on all of your points, though I hadn't 
> seen that the 
> > IntegerValidator wasn't working, but I was just looking at the 
> > "validate" functions that always return true...
> > 	And, yes, it would be nice to have a release before 
> everyone starts 
> > talking about it.
> >
> > On Sun, 4 Jun 2006, Oscar Renalias wrote:
> >> I am currently working on it, and yes, there are plenty more like 
> >> this (even though some of them are more convoluted, but perfectly 
> >> possible given some time) For whatever reason, there is no 
> validation 
> >> whatsoever in any of our xxxAction classes. And to add insult to 
> >> injury, our current IntegerValidator class doesn't work in 
> this kind 
> >> of situations so I had to fix that one too.
> >>
> >> The password doesn't only appear in the logs, but also in the HTML 
> >> code. When I tried in my 1.0.5 instance, I could see the password 
> >> hovering over the permalink (as if it was part of the link)
> >>
> >> Besides, being able to get SELECT queries through probably 
> means that 
> >> UPDATE and INSERT queries are also possible.
> >>
> >> I will check in my changes shortly. If everything looks 
> good, let's 
> >> release 1.0.5 during tomorrow as I believe that this needs 
> a release 
> >> asap before this gets to all security sites and channels.
> >>
> >> On 4 Jun 2006, at 01:41, Jon Daley wrote:
> >>
> >>> Ah, I turned on logging (turns out the slow logging isn't too bad 
> >>> for my site, so I don't mind turning it on now)
> >>> 152800 Query       SELECT a.id, a.date,
> >>> a.user_id,a.blog_id,a.status,a.properties,
> >>>                                                          
> >>> a.num_reads, a.slug FROM articles a WHERE a.id = 
> 9999/**/UNION/**/ 
> >>> SEL
> >>> ECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/*
> >>> AND a.blog_id = 1 AND a.status = 1
> >>> I will probably fix this shortly.
> >>> On Sat, 3 Jun 2006, Jon Daley wrote:
> >>>
> >>>> 	It doesn't work on my 1.0.4 install either, only partially.  It 
> >>>> does get the (presumably, I didn't check) admin password
> >>>> (hashed) into the sql_error.log, which isn't a security risk in 
> >>>> itself, but obviously, being able to change the SQL 
> queries is bad.  
> >>>> I don't see what the /**/ stuff is doing.  Surely the 
> articleId is 
> >>>> validated to be an integer, so where is all that sql getting 
> >>>> assigned to?
> >>>> On Sun, 4 Jun 2006, Oscar Renalias wrote:
> >>>>> I couldn't get the linked script to work, but this is the 
> >>>>> interesting part of it:
> >>>>> http://www.yourhost.com/lifetype-1.0.4/index.php? 
> >>>>> op=ViewArticle&blogId=1&articleId=9999/**/UNION/**/SELECT/**/
> >>>>> password,1,1,1,1,1,1,1/**/FROM/**/lt_users/**/WHERE/**/id=1/*
> >>>>> Clever.
> >>>>> On 4 Jun 2006, at 00:43, Oscar Renalias wrote:
> >>>>>> Whoops. Our first serious SQL injection issue!
> >>>>>> Begin forwarded message:
> >>>>>>> From: "rgod" <zerokool_556 at hotmail.com>
> >>>>>>> Date: 4 June 2006 00:30:31 GMT+03:00
> >>>>>>> To: <contact at lifetype.net>
> >>>>>>> Subject: LifeType <= 1.0.4 'articleId' SQL injection 
> >>>>>>> http://retrogod.altervista.org/lifetype_104_sql.html
> >>>>>>> rgod
> >>>>>> _______________________________________________
> >>>>>> pLog-svn mailing list
> >>>>>> pLog-svn at devel.lifetype.net
> >>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>>>> _______________________________________________
> >>>>> pLog-svn mailing list
> >>>>> pLog-svn at devel.lifetype.net
> >>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>>> **************************************
> >>>> Jon Daley
> >>>> http://jon.limedaley.com/
> >>>> With memory prices this low, who needs to deallocate memory?
> >>>> _______________________________________________
> >>>> pLog-svn mailing list
> >>>> pLog-svn at devel.lifetype.net
> >>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>> **************************************
> >>> Jon Daley
> >>> http://jon.limedaley.com/
> >>> Music has the uncanny ability to burrow its way into our 
> spiritual 
> >>> bones.
> >>> -- John Witvliet
> >>> _______________________________________________
> >>> pLog-svn mailing list
> >>> pLog-svn at devel.lifetype.net
> >>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >
> > **************************************
> > Jon Daley
> > http://jon.limedaley.com/
> >
> > It is not an optical illusion, it just looks like one.
> > -- Phil White
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://devel.lifetype.net/mailman/listinfo/plog-svn
> >
> 
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn

More information about the pLog-svn mailing list