[pLog-svn] Fwd: LifeType <= 1.0.4 'articleId' SQL injection

Oscar Renalias oscar at renalias.net
Mon Jun 5 06:25:01 GMT 2006 

No, the old one didn't work at all. I've left the new one that I think
is good enough.

If somebody wants to dig a bit deeper into why the old regexp for
validating integers didn't work, go ahead.

On 6/5/06, Mark Wu <markplace at gmail.com> wrote:
> Hi Oscar:
>
> Just see this.
>
> So, the new validation rules works, we don't need to revert to the old one
> right?
>
> I am a little bit confused.
>
> Mark
>
> > -----Original Message-----
> > From: plog-svn-bounces at devel.lifetype.net
> > [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of
> > Oscar Renalias
> > Sent: Sunday, June 04, 2006 5:30 PM
> > To: plog-svn at devel.lifetype.net
> > Subject: Re: [pLog-svn] Fwd: LifeType <= 1.0.4 'articleId'
> > SQL injection
> >
> > Yes, my mistake. The old integer validation class was working fine.
> > What happened is that I got confused with all the action
> > classes returning true in validate() as you just said. I will
> > revert to the old class and try again. If everything is ok, I
> > will release this today most likely.
> >
> > On 4 Jun 2006, at 03:39, Jon Daley wrote:
> >
> > >     Hrm -- old email sitting in my "postponed" folder, I
> > forget if I
> > > already said this stuff.
> > >
> > >     Yes, I agree on all of your points, though I hadn't
> > seen that the
> > > IntegerValidator wasn't working, but I was just looking at the
> > > "validate" functions that always return true...
> > >     And, yes, it would be nice to have a release before
> > everyone starts
> > > talking about it.
> > >
> > > On Sun, 4 Jun 2006, Oscar Renalias wrote:
> > >> I am currently working on it, and yes, there are plenty more like
> > >> this (even though some of them are more convoluted, but perfectly
> > >> possible given some time) For whatever reason, there is no
> > validation
> > >> whatsoever in any of our xxxAction classes. And to add insult to
> > >> injury, our current IntegerValidator class doesn't work in
> > this kind
> > >> of situations so I had to fix that one too.
> > >>
> > >> The password doesn't only appear in the logs, but also in the HTML
> > >> code. When I tried in my 1.0.5 instance, I could see the password
> > >> hovering over the permalink (as if it was part of the link)
> > >>
> > >> Besides, being able to get SELECT queries through probably
> > means that
> > >> UPDATE and INSERT queries are also possible.
> > >>
> > >> I will check in my changes shortly. If everything looks
> > good, let's
> > >> release 1.0.5 during tomorrow as I believe that this needs
> > a release
> > >> asap before this gets to all security sites and channels.
> > >>
> > >> On 4 Jun 2006, at 01:41, Jon Daley wrote:
> > >>
> > >>> Ah, I turned on logging (turns out the slow logging isn't too bad
> > >>> for my site, so I don't mind turning it on now)
> > >>> 152800 Query       SELECT a.id, a.date,
> > >>> a.user_id,a.blog_id,a.status,a.properties,
> > >>>
> > >>> a.num_reads, a.slug FROM articles a WHERE a.id =
> > 9999/**/UNION/**/
> > >>> SEL
> > >>> ECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/*
> > >>> AND a.blog_id = 1 AND a.status = 1
> > >>> I will probably fix this shortly.
> > >>> On Sat, 3 Jun 2006, Jon Daley wrote:
> > >>>
> > >>>>  It doesn't work on my 1.0.4 install either, only partially.  It
> > >>>> does get the (presumably, I didn't check) admin password
> > >>>> (hashed) into the sql_error.log, which isn't a security risk in
> > >>>> itself, but obviously, being able to change the SQL
> > queries is bad.
> > >>>> I don't see what the /**/ stuff is doing.  Surely the
> > articleId is
> > >>>> validated to be an integer, so where is all that sql getting
> > >>>> assigned to?
> > >>>> On Sun, 4 Jun 2006, Oscar Renalias wrote:
> > >>>>> I couldn't get the linked script to work, but this is the
> > >>>>> interesting part of it:
> > >>>>> http://www.yourhost.com/lifetype-1.0.4/index.php?
> > >>>>> op=ViewArticle&blogId=1&articleId=9999/**/UNION/**/SELECT/**/
> > >>>>> password,1,1,1,1,1,1,1/**/FROM/**/lt_users/**/WHERE/**/id=1/*
> > >>>>> Clever.
> > >>>>> On 4 Jun 2006, at 00:43, Oscar Renalias wrote:
> > >>>>>> Whoops. Our first serious SQL injection issue!
> > >>>>>> Begin forwarded message:
> > >>>>>>> From: "rgod" <zerokool_556 at hotmail.com>
> > >>>>>>> Date: 4 June 2006 00:30:31 GMT+03:00
> > >>>>>>> To: <contact at lifetype.net>
> > >>>>>>> Subject: LifeType <= 1.0.4 'articleId' SQL injection
> > >>>>>>> http://retrogod.altervista.org/lifetype_104_sql.html
> > >>>>>>> rgod
> > >>>>>> _______________________________________________
> > >>>>>> pLog-svn mailing list
> > >>>>>> pLog-svn at devel.lifetype.net
> > >>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> > >>>>> _______________________________________________
> > >>>>> pLog-svn mailing list
> > >>>>> pLog-svn at devel.lifetype.net
> > >>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> > >>>> **************************************
> > >>>> Jon Daley
> > >>>> http://jon.limedaley.com/
> > >>>> With memory prices this low, who needs to deallocate memory?
> > >>>> _______________________________________________
> > >>>> pLog-svn mailing list
> > >>>> pLog-svn at devel.lifetype.net
> > >>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> > >>> **************************************
> > >>> Jon Daley
> > >>> http://jon.limedaley.com/
> > >>> Music has the uncanny ability to burrow its way into our
> > spiritual
> > >>> bones.
> > >>> -- John Witvliet
> > >>> _______________________________________________
> > >>> pLog-svn mailing list
> > >>> pLog-svn at devel.lifetype.net
> > >>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> > >>
> > >> _______________________________________________
> > >> pLog-svn mailing list
> > >> pLog-svn at devel.lifetype.net
> > >> http://devel.lifetype.net/mailman/listinfo/plog-svn
> > >
> > > **************************************
> > > Jon Daley
> > > http://jon.limedaley.com/
> > >
> > > It is not an optical illusion, it just looks like one.
> > > -- Phil White
> > > _______________________________________________
> > > pLog-svn mailing list
> > > pLog-svn at devel.lifetype.net
> > > http://devel.lifetype.net/mailman/listinfo/plog-svn
> > >
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://devel.lifetype.net/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>

More information about the pLog-svn mailing list