[pLog-svn] [Lifetype] Multiple SQL Injections in Admin Posts List interfaces & a XSS vuln

[Oscar Renalias]

I'm actually glad that somebody is doing this for us as it improves
the stability and security of Lifetype for everyone. Sometimes we get
ourselves too busy with UI and other stuff and forget about these
things... We'll try to provide fixes for these in 1.2.5.

Thanks.

Oscar

On 7/17/07, Matt Wood <matt at woodzy.com> wrote:
> Firstly,
>
> I would like to thank Oscar and the other devs for putting lots of hard work
> into the development of this project. By posting this information I am not
> trying to deride or attack Lifetype/pLog at all, I use this software plenty,
> and have been around for a while. So guys don't take this the wrong way...
> I'm just trying to use my expertise to contribute and point out what I see;
> hopefully making this a better software platform.
>
> And part II commences...
>
> Any (admin especially) action that relies solely on the ArrayValidator does
> not actually have any validation occur. Assuming that if the data passed in
> parses into an array is not sufficient, it is just as easily to attack with
> an array of values.
>
> With this you can arbitrarily insert sql into something when deleting post
> IDs [for example]. This can lead to the destruction of tables since at least
> mysql allows multiple delete commands. If the user has delete permission on
> anything in the database, he/she can effectively delete anything at all.
>
> Again this only matters if you have untrusted users.
>
> -Matt
>
> On 7/16/07, Matt Wood <matt at woodzy.com > wrote:
> > I was playing with the new ajax "build" earlier today and the new pretty
> YUI components and found a couple problems with stuff unrelated & related to
> the ajax stuff [which I noticed that most inputs were verified by oscar :),
> from those plog-svn change-sets].
> >
> > I've verified these attacks work but truthfully the only important cases
> exist when you allow public registration for a blog through the lifetype
> core (or have an untrusted user base), since in order to exploit these
> vulnerabilities you must have a valid session.
> >
> > There are many parameters passed into AdminPostsListView from
> AdminEditPostsAction.class.php which are not validated and lead to SQL
> injection attacks (recovering the admin's md5 password hash for example).
> >
> > in the performAjax() and perform() methods
> > ---
> >
> lifetype-1.3-ajax/class/action/admin/admineditpostsaction.class.php:
>
>
> >                   "showMonth" => $this->_request->getValue( "showMonth" ),
> > ---
> > which is passed into the following, again unverified...
> > ---
> >
> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
>            $thi
> > s->_showMonth = $this->_getParameter( $params, "showMonth",
> $this->_locale->form
> > atDate( new Timestamp(), "%Y%m" ));
> > ---
> > This leads to sql injection on almost all of the variables here... You can
> easily verify this by checking the mysql logs and by looking at the query
> string before its sent to the database. Since this injection is in the WHERE
> clause where many bad things can occur. The most pervasive of which are
> blindsql attacks on the password hashes.
> >
> >
> > These parameters are also echo'ed onto the web page unfiltered...
> > ---
> >
> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
>
> >         $pager = new Pager(
> "?op=editPosts&amp;showMonth={$this->_showMonth}&amp
> >
> ;showStatus={$this->_showStatus}&amp;showCategory={$this->_showCategory}&amp;sho
> >
> wUser={$this->_showUser}&amp;searchTerms={$this->_searchTerms}&amp;showLocation=
> > {$this->_locationId}&amp;page="
> > ---
> > leading to XSS with some clever parameters that require the pager to
> actually display links.
> >
> >
> > On the severity...
> > The xss vuln not really that important... but even with a semi-trusted
> userbase the sql injections could lead to the admin having his password
> discovered.
> >
> >
> > -Matt
> >
>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>