[pLog-svn] [Lifetype] Multiple SQL Injections in Admin PostsList interfaces & a XSS vuln

Oscar Renalias oscar at renalias.net
Tue Jul 17 02:24:21 EDT 2007 

Why a Rule class and not a whole Validator class? When we validate
integers we always use IntegerValidator rather than IntRule so why
would you only use IntRule to validate an array of integers?

How about this:

$v = new ArrayValidator( new IntegerValidator());

Additionally, if we manage to specify the validation class for each
one of the items in the constructor itself we can get rid of one line
of code $v->addElementValidator(blahblah) :-)

Oscar

On 7/17/07, Mark Wu <markplace at gmail.com> wrote:
>
>
> Hi Matt:
>
> I did not test it yet. But through the new method addElemetRule() in
> ArrayValidator, I think we can make the ArrayValidator to validate each
> array element following our rules.
>
> It may solve the ArrayValidator issues you mentioned.
>
> Take the $postIds for example, we can validate it use the following code:
>
>
> $postIdsArrayValidator = new ArrayValidator();
> $arrayValidator->addElementRule( new IntRule() );
>
> $validateOk = $postIdsArrayValidator ->validate( $postIds );
>
> If( $validateOk )
>     render normal view
> else
>     render error view
>
> Mark
>
>  ________________________________
>  From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of
> Matt Wood
> Sent: Tuesday, July 17, 2007 11:14 AM
> To: plog-svn at devel.lifetype.net
> Subject: Re: [pLog-svn] [Lifetype] Multiple SQL Injections in Admin
> PostsList interfaces & a XSS vuln
>
>
> Firstly,
>
> I would like to thank Oscar and the other devs for putting lots of hard work
> into the development of this project. By posting this information I am not
> trying to deride or attack Lifetype/pLog at all, I use this software plenty,
> and have been around for a while. So guys don't take this the wrong way...
> I'm just trying to use my expertise to contribute and point out what I see;
> hopefully making this a better software platform.
>
> And part II commences...
>
> Any (admin especially) action that relies solely on the ArrayValidator does
> not actually have any validation occur. Assuming that if the data passed in
> parses into an array is not sufficient, it is just as easily to attack with
> an array of values.
>
> With this you can arbitrarily insert sql into something when deleting post
> IDs [for example]. This can lead to the destruction of tables since at least
> mysql allows multiple delete commands. If the user has delete permission on
> anything in the database, he/she can effectively delete anything at all.
>
> Again this only matters if you have untrusted users.
>
> -Matt
>
>
> On 7/16/07, Matt Wood <matt at woodzy.com > wrote:
> > I was playing with the new ajax "build" earlier today and the new pretty
> YUI components and found a couple problems with stuff unrelated & related to
> the ajax stuff [which I noticed that most inputs were verified by oscar :),
> from those plog-svn change-sets].
> >
> > I've verified these attacks work but truthfully the only important cases
> exist when you allow public registration for a blog through the lifetype
> core (or have an untrusted user base), since in order to exploit these
> vulnerabilities you must have a valid session.
> >
> > There are many parameters passed into AdminPostsListView from
> AdminEditPostsAction.class.php which are not validated and lead to SQL
> injection attacks (recovering the admin's md5 password hash for example).
> >
> > in the performAjax() and perform() methods
> > ---
> >
> lifetype-1.3-ajax/class/action/admin/admineditpostsaction.class.php:
>
>
> >                   "showMonth" => $this->_request->getValue( "showMonth" ),
> > ---
> > which is passed into the following, again unverified...
> > ---
> >
> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
>            $thi
> > s->_showMonth = $this->_getParameter( $params, "showMonth",
> $this->_locale->form
> > atDate( new Timestamp(), "%Y%m" ));
> > ---
> > This leads to sql injection on almost all of the variables here... You can
> easily verify this by checking the mysql logs and by looking at the query
> string before its sent to the database. Since this injection is in the WHERE
> clause where many bad things can occur. The most pervasive of which are
> blindsql attacks on the password hashes.
> >
> >
> > These parameters are also echo'ed onto the web page unfiltered...
> > ---
> >
> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
>
> >         $pager = new Pager(
> "?op=editPosts&amp;showMonth={$this->_showMonth}&amp
> >
> ;showStatus={$this->_showStatus}&amp;showCategory={$this->_showCategory}&amp;sho
> >
> wUser={$this->_showUser}&amp;searchTerms={$this->_searchTerms}&amp;showLocation=
> > {$this->_locationId}&amp;page="
> > ---
> > leading to XSS with some clever parameters that require the pager to
> actually display links.
> >
> >
> > On the severity...
> > The xss vuln not really that important... but even with a semi-trusted
> userbase the sql injections could lead to the admin having his password
> discovered.
> >
> >
> > -Matt
> >
>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
>

More information about the pLog-svn mailing list