[pLog-svn] [Lifetype] Multiple SQL Injections in Admin PostsList interfaces & a XSS vuln

Mark Wu markplace at gmail.com
Tue Jul 17 02:04:44 EDT 2007


Hi Matt:
 
I did not test it yet. But through the new method addElemetRule() in
ArrayValidator, I think we can make the ArrayValidator to validate each
array element following our rules.
 
It may solve the ArrayValidator issues you mentioned.
 
Take the $postIds for example, we can validate it use the following code:
 
$postIdsArrayValidator = new ArrayValidator();
$arrayValidator->addElementRule( new IntRule() );
 
$validateOk = $postIdsArrayValidator ->validate( $postIds );
 
If( $validateOk )
    render normal view
else
    render error view
 
Mark

  _____  

From: plog-svn-bounces at devel.lifetype.net
[mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Matt Wood
Sent: Tuesday, July 17, 2007 11:14 AM
To: plog-svn at devel.lifetype.net
Subject: Re: [pLog-svn] [Lifetype] Multiple SQL Injections in Admin
PostsList interfaces & a XSS vuln


Firstly,

I would like to thank Oscar and the other devs for putting lots of hard work
into the development of this project. By posting this information I am not
trying to deride or attack Lifetype/pLog at all, I use this software plenty,
and have been around for a while. So guys don't take this the wrong way...
I'm just trying to use my expertise to contribute and point out what I see;
hopefully making this a better software platform. 

And part II commences...

Any (admin especially) action that relies solely on the ArrayValidator does
not actually have any validation occur. Assuming that if the data passed in
parses into an array is not sufficient, it is just as easily to attack with
an array of values. 

With this you can arbitrarily insert sql into something when deleting post
IDs [for example]. This can lead to the destruction of tables since at least
mysql allows multiple delete commands. If the user has delete permission on
anything in the database, he/she can effectively delete anything at all. 

Again this only matters if you have untrusted users.

-Matt


On 7/16/07, Matt Wood <matt at woodzy.com > wrote: 

I was playing with the new ajax "build" earlier today and the new pretty YUI
components and found a couple problems with stuff unrelated & related to the
ajax stuff [which I noticed that most inputs were verified by oscar :), from
those plog-svn change-sets]. 

I've verified these attacks work but truthfully the only important cases
exist when you allow public registration for a blog through the lifetype
core (or have an untrusted user base), since in order to exploit these
vulnerabilities you must have a valid session. 

There are many parameters passed into AdminPostsListView from
AdminEditPostsAction.class.php which are not validated and lead to SQL
injection attacks (recovering the admin's md5 password hash for example).

in the performAjax() and perform() methods
---
lifetype-1.3-ajax/class/action/admin/admineditpostsaction.class.php:

                  "showMonth" => $this->_request->getValue( "showMonth" ), 
---
which is passed into the following, again unverified...
---
lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
$thi
s->_showMonth = $this->_getParameter( $params, "showMonth",
$this->_locale->form 
atDate( new Timestamp(), "%Y%m" ));
---
This leads to sql injection on almost all of the variables here... You can
easily verify this by checking the mysql logs and by looking at the query
string before its sent to the database. Since this injection is in the WHERE
clause where many bad things can occur. The most pervasive of which are
blindsql attacks on the password hashes. 


These parameters are also echo'ed onto the web page unfiltered... 
---
lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:

        $pager = new Pager(
"?op=editPosts&amp;showMonth={$this->_showMonth}&amp 
;showStatus={$this->_showStatus}&amp;showCategory={$this->_showCategory}&amp
;sho
wUser={$this->_showUser}&amp;searchTerms={$this->_searchTerms}&amp;showLocat
ion=
{$this->_locationId}&amp;page=" 
---
leading to XSS with some clever parameters that require the pager to
actually display links.


On the severity...
The xss vuln not really that important... but even with a semi-trusted
userbase the sql injections could lead to the admin having his password
discovered. 


-Matt



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://limedaley.com/pipermail/plog-svn/attachments/20070717/4dd72dfd/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: arrayvalidator.class.php
Type: application/octet-stream
Size: 1685 bytes
Desc: not available
Url : http://limedaley.com/pipermail/plog-svn/attachments/20070717/4dd72dfd/attachment-0001.obj 


More information about the pLog-svn mailing list