[pLog-svn] [Lifetype] Multiple SQL Injections in Admin Posts List interfaces & a XSS vuln

Jon Daley plogworld at jon.limedaley.com
Wed Aug 29 19:57:47 EDT 2007


 	Oscar - did you already go through and fix all of this stuff?  I 
am just now catching up with old mailing list emails.

On Mon, 16 Jul 2007, Matt Wood wrote:

> Firstly,
>
> I would like to thank Oscar and the other devs for putting lots of hard work
> into the development of this project. By posting this information I am not
> trying to deride or attack Lifetype/pLog at all, I use this software plenty,
> and have been around for a while. So guys don't take this the wrong way...
> I'm just trying to use my expertise to contribute and point out what I see;
> hopefully making this a better software platform.
>
> And part II commences...
>
> Any (admin especially) action that relies solely on the ArrayValidator does
> not actually have any validation occur. Assuming that if the data passed in
> parses into an array is not sufficient, it is just as easily to attack with
> an array of values.
>
> With this you can arbitrarily insert sql into something when deleting post
> IDs [for example]. This can lead to the destruction of tables since at least
> mysql allows multiple delete commands. If the user has delete permission on
> anything in the database, he/she can effectively delete anything at all.
>
> Again this only matters if you have untrusted users.
>
> -Matt
>
> On 7/16/07, Matt Wood <matt at woodzy.com> wrote:
>> 
>> I was playing with the new ajax "build" earlier today and the new pretty
>> YUI components and found a couple problems with stuff unrelated & related 
>> to
>> the ajax stuff [which I noticed that most inputs were verified by oscar :),
>> from those plog-svn change-sets].
>> 
>> I've verified these attacks work but truthfully the only important cases
>> exist when you allow public registration for a blog through the lifetype
>> core (or have an untrusted user base), since in order to exploit these
>> vulnerabilities you must have a valid session.
>> 
>> There are many parameters passed into AdminPostsListView from
>> AdminEditPostsAction.class.php which are not validated and lead to SQL
>> injection attacks (recovering the admin's md5 password hash for example).
>> 
>> in the performAjax() and perform() methods
>> ---
>> lifetype-1.3-ajax/class/action/admin/admineditpostsaction.class.php:
>>
>>                   "showMonth" => $this->_request->getValue( "showMonth" ),
>> 
>> ---
>> which is passed into the following, again unverified...
>> ---
>> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
>> $thi
>> s->_showMonth = $this->_getParameter( $params, "showMonth",
>> $this->_locale->form
>> atDate( new Timestamp(), "%Y%m" ));
>> ---
>> This leads to sql injection on almost all of the variables here... You can
>> easily verify this by checking the mysql logs and by looking at the query
>> string before its sent to the database. Since this injection is in the 
>> WHERE
>> clause where many bad things can occur. The most pervasive of which are
>> blindsql attacks on the password hashes.
>> 
>> 
>> These parameters are also echo'ed onto the web page unfiltered...
>> ---
>> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
>>
>>         $pager = new Pager(
>> "?op=editPosts&amp;showMonth={$this->_showMonth}&amp
>> 
>> ;showStatus={$this->_showStatus}&amp;showCategory={$this->_showCategory}&amp;sho
>> 
>> wUser={$this->_showUser}&amp;searchTerms={$this->_searchTerms}&amp;showLocation=
>> {$this->_locationId}&amp;page="
>> ---
>> leading to XSS with some clever parameters that require the pager to
>> actually display links.
>> 
>> 
>> On the severity...
>> The xss vuln not really that important... but even with a semi-trusted
>> userbase the sql injections could lead to the admin having his password
>> discovered.
>> 
>> 
>> -Matt
>> 
>

-- 
Jon Daley
http://jon.limedaley.com/

There is nothing so annoying as to have two
people talking when you're busy interrupting.
-- Mark Twain


More information about the pLog-svn mailing list