[pLog-svn] [Lifetype] Multiple SQL Injections in Admin Posts List interfaces & a XSS vuln

Oscar Renalias oscar at renalias.net
Thu Aug 30 02:33:29 EDT 2007 

I think that I fixed most of it, but I will check again.

Oscar

On 8/30/07, Jon Daley <plogworld at jon.limedaley.com> wrote:
>         Oscar - did you already go through and fix all of this stuff?  I
> am just now catching up with old mailing list emails.
>
> On Mon, 16 Jul 2007, Matt Wood wrote:
>
> > Firstly,
> >
> > I would like to thank Oscar and the other devs for putting lots of hard work
> > into the development of this project. By posting this information I am not
> > trying to deride or attack Lifetype/pLog at all, I use this software plenty,
> > and have been around for a while. So guys don't take this the wrong way...
> > I'm just trying to use my expertise to contribute and point out what I see;
> > hopefully making this a better software platform.
> >
> > And part II commences...
> >
> > Any (admin especially) action that relies solely on the ArrayValidator does
> > not actually have any validation occur. Assuming that if the data passed in
> > parses into an array is not sufficient, it is just as easily to attack with
> > an array of values.
> >
> > With this you can arbitrarily insert sql into something when deleting post
> > IDs [for example]. This can lead to the destruction of tables since at least
> > mysql allows multiple delete commands. If the user has delete permission on
> > anything in the database, he/she can effectively delete anything at all.
> >
> > Again this only matters if you have untrusted users.
> >
> > -Matt
> >
> > On 7/16/07, Matt Wood <matt at woodzy.com> wrote:
> >>
> >> I was playing with the new ajax "build" earlier today and the new pretty
> >> YUI components and found a couple problems with stuff unrelated & related
> >> to
> >> the ajax stuff [which I noticed that most inputs were verified by oscar :),
> >> from those plog-svn change-sets].
> >>
> >> I've verified these attacks work but truthfully the only important cases
> >> exist when you allow public registration for a blog through the lifetype
> >> core (or have an untrusted user base), since in order to exploit these
> >> vulnerabilities you must have a valid session.
> >>
> >> There are many parameters passed into AdminPostsListView from
> >> AdminEditPostsAction.class.php which are not validated and lead to SQL
> >> injection attacks (recovering the admin's md5 password hash for example).
> >>
> >> in the performAjax() and perform() methods
> >> ---
> >> lifetype-1.3-ajax/class/action/admin/admineditpostsaction.class.php:
> >>
> >>                   "showMonth" => $this->_request->getValue( "showMonth" ),
> >>
> >> ---
> >> which is passed into the following, again unverified...
> >> ---
> >> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
> >> $thi
> >> s->_showMonth = $this->_getParameter( $params, "showMonth",
> >> $this->_locale->form
> >> atDate( new Timestamp(), "%Y%m" ));
> >> ---
> >> This leads to sql injection on almost all of the variables here... You can
> >> easily verify this by checking the mysql logs and by looking at the query
> >> string before its sent to the database. Since this injection is in the
> >> WHERE
> >> clause where many bad things can occur. The most pervasive of which are
> >> blindsql attacks on the password hashes.
> >>
> >>
> >> These parameters are also echo'ed onto the web page unfiltered...
> >> ---
> >> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
> >>
> >>         $pager = new Pager(
> >> "?op=editPosts&amp;showMonth={$this->_showMonth}&amp
> >>
> >> ;showStatus={$this->_showStatus}&amp;showCategory={$this->_showCategory}&amp;sho
> >>
> >> wUser={$this->_showUser}&amp;searchTerms={$this->_searchTerms}&amp;showLocation=
> >> {$this->_locationId}&amp;page="
> >> ---
> >> leading to XSS with some clever parameters that require the pager to
> >> actually display links.
> >>
> >>
> >> On the severity...
> >> The xss vuln not really that important... but even with a semi-trusted
> >> userbase the sql injections could lead to the admin having his password
> >> discovered.
> >>
> >>
> >> -Matt
> >>
> >
>
> --
> Jon Daley
> http://jon.limedaley.com/
>
> There is nothing so annoying as to have two
> people talking when you're busy interrupting.
> -- Mark Twain
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

More information about the pLog-svn mailing list