[pLog-svn] [Lifetype] Multiple SQL Injections in Admin Posts List interfaces & a XSS vuln

Mon Jul 16 23:14:02 EDT 2007

Firstly,

I would like to thank Oscar and the other devs for putting lots of hard work
into the development of this project. By posting this information I am not
trying to deride or attack Lifetype/pLog at all, I use this software plenty,
and have been around for a while. So guys don't take this the wrong way...
I'm just trying to use my expertise to contribute and point out what I see;
hopefully making this a better software platform.

And part II commences...

Any (admin especially) action that relies solely on the ArrayValidator does
not actually have any validation occur. Assuming that if the data passed in
parses into an array is not sufficient, it is just as easily to attack with
an array of values.

With this you can arbitrarily insert sql into something when deleting post
IDs [for example]. This can lead to the destruction of tables since at least
mysql allows multiple delete commands. If the user has delete permission on
anything in the database, he/she can effectively delete anything at all.

Again this only matters if you have untrusted users.

-Matt

On 7/16/07, Matt Wood <matt at woodzy.com> wrote:
>
> I was playing with the new ajax "build" earlier today and the new pretty
> YUI components and found a couple problems with stuff unrelated & related to
> the ajax stuff [which I noticed that most inputs were verified by oscar :),
> from those plog-svn change-sets].
>
> I've verified these attacks work but truthfully the only important cases
> exist when you allow public registration for a blog through the lifetype
> core (or have an untrusted user base), since in order to exploit these
> vulnerabilities you must have a valid session.
>
> There are many parameters passed into AdminPostsListView from
> AdminEditPostsAction.class.php which are not validated and lead to SQL
> injection attacks (recovering the admin's md5 password hash for example).
>
> in the performAjax() and perform() methods
> ---
> lifetype-1.3-ajax/class/action/admin/admineditpostsaction.class.php:
>
>                   "showMonth" => $this->_request->getValue( "showMonth" ),
>
> ---
> which is passed into the following, again unverified...
> ---
> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
> $thi
> s->_showMonth = $this->_getParameter( $params, "showMonth",
> $this->_locale->form
> atDate( new Timestamp(), "%Y%m" ));
> ---
> This leads to sql injection on almost all of the variables here... You can
> easily verify this by checking the mysql logs and by looking at the query
> string before its sent to the database. Since this injection is in the WHERE
> clause where many bad things can occur. The most pervasive of which are
> blindsql attacks on the password hashes.
>
>
> These parameters are also echo'ed onto the web page unfiltered...
> ---
> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
>
>         $pager = new Pager(
> "?op=editPosts&amp;showMonth={$this->_showMonth}&amp
>
> ;showStatus={$this->_showStatus}&amp;showCategory={$this->_showCategory}&amp;sho
>
> wUser={$this->_showUser}&amp;searchTerms={$this->_searchTerms}&amp;showLocation=
> {$this->_locationId}&amp;page="
> ---
> leading to XSS with some clever parameters that require the pager to
> actually display links.
>
>
> On the severity...
> The xss vuln not really that important... but even with a semi-trusted
> userbase the sql injections could lead to the admin having his password
> discovered.
>
>
> -Matt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://limedaley.com/pipermail/plog-svn/attachments/20070716/43bdaec5/attachment-0001.htm 