[pLog-svn] [Lifetype] Multiple SQL Injections in AdminPostsList interfaces & a XSS vuln

Mark Wu markplace at gmail.com
Tue Jul 17 02:51:43 EDT 2007 

 mmmm ....

So, now we can use

$postIdsValidator = new ArrayValidator( new IntegerValidator() );
$postIdsValidator->validate( $postIds );

To validate post ids ...

Mark

-----Original Message-----
From: plog-svn-bounces at devel.lifetype.net
[mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Oscar Renalias
Sent: Tuesday, July 17, 2007 2:24 PM
To: LifeType Developer List
Subject: Re: [pLog-svn] [Lifetype] Multiple SQL Injections in AdminPostsList
interfaces & a XSS vuln

Why a Rule class and not a whole Validator class? When we validate integers
we always use IntegerValidator rather than IntRule so why would you only use
IntRule to validate an array of integers?

How about this:

$v = new ArrayValidator( new IntegerValidator());

Additionally, if we manage to specify the validation class for each one of
the items in the constructor itself we can get rid of one line of code
$v->addElementValidator(blahblah) :-)

Oscar

On 7/17/07, Mark Wu <markplace at gmail.com> wrote:
>
>
> Hi Matt:
>
> I did not test it yet. But through the new method addElemetRule() in 
> ArrayValidator, I think we can make the ArrayValidator to validate 
> each array element following our rules.
>
> It may solve the ArrayValidator issues you mentioned.
>
> Take the $postIds for example, we can validate it use the following code:
>
>
> $postIdsArrayValidator = new ArrayValidator(); 
> $arrayValidator->addElementRule( new IntRule() );
>
> $validateOk = $postIdsArrayValidator ->validate( $postIds );
>
> If( $validateOk )
>     render normal view
> else
>     render error view
>
> Mark
>
>  ________________________________
>  From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Matt Wood
> Sent: Tuesday, July 17, 2007 11:14 AM
> To: plog-svn at devel.lifetype.net
> Subject: Re: [pLog-svn] [Lifetype] Multiple SQL Injections in Admin 
> PostsList interfaces & a XSS vuln
>
>
> Firstly,
>
> I would like to thank Oscar and the other devs for putting lots of 
> hard work into the development of this project. By posting this 
> information I am not trying to deride or attack Lifetype/pLog at all, 
> I use this software plenty, and have been around for a while. So guys
don't take this the wrong way...
> I'm just trying to use my expertise to contribute and point out what I 
> see; hopefully making this a better software platform.
>
> And part II commences...
>
> Any (admin especially) action that relies solely on the ArrayValidator 
> does not actually have any validation occur. Assuming that if the data 
> passed in parses into an array is not sufficient, it is just as easily 
> to attack with an array of values.
>
> With this you can arbitrarily insert sql into something when deleting 
> post IDs [for example]. This can lead to the destruction of tables 
> since at least mysql allows multiple delete commands. If the user has 
> delete permission on anything in the database, he/she can effectively
delete anything at all.
>
> Again this only matters if you have untrusted users.
>
> -Matt
>
>
> On 7/16/07, Matt Wood <matt at woodzy.com > wrote:
> > I was playing with the new ajax "build" earlier today and the new 
> > pretty
> YUI components and found a couple problems with stuff unrelated & 
> related to the ajax stuff [which I noticed that most inputs were 
> verified by oscar :), from those plog-svn change-sets].
> >
> > I've verified these attacks work but truthfully the only important 
> > cases
> exist when you allow public registration for a blog through the 
> lifetype core (or have an untrusted user base), since in order to 
> exploit these vulnerabilities you must have a valid session.
> >
> > There are many parameters passed into AdminPostsListView from
> AdminEditPostsAction.class.php which are not validated and lead to SQL 
> injection attacks (recovering the admin's md5 password hash for example).
> >
> > in the performAjax() and perform() methods
> > ---
> >
> lifetype-1.3-ajax/class/action/admin/admineditpostsaction.class.php:
>
>
> >                   "showMonth" => $this->_request->getValue( 
> > "showMonth" ),
> > ---
> > which is passed into the following, again unverified...
> > ---
> >
> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
>            $thi
> > s->_showMonth = $this->_getParameter( $params, "showMonth",
> $this->_locale->form
> > atDate( new Timestamp(), "%Y%m" ));
> > ---
> > This leads to sql injection on almost all of the variables here... 
> > You can
> easily verify this by checking the mysql logs and by looking at the 
> query string before its sent to the database. Since this injection is 
> in the WHERE clause where many bad things can occur. The most 
> pervasive of which are blindsql attacks on the password hashes.
> >
> >
> > These parameters are also echo'ed onto the web page unfiltered...
> > ---
> >
> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
>
> >         $pager = new Pager(
> "?op=editPosts&amp;showMonth={$this->_showMonth}&amp
> >
> ;showStatus={$this->_showStatus}&amp;showCategory={$this->_showCategor
> y}&amp;sho
> >
> wUser={$this->_showUser}&amp;searchTerms={$this->_searchTerms}&amp;sho
> wLocation=
> > {$this->_locationId}&amp;page="
> > ---
> > leading to XSS with some clever parameters that require the pager to
> actually display links.
> >
> >
> > On the severity...
> > The xss vuln not really that important... but even with a 
> > semi-trusted
> userbase the sql injections could lead to the admin having his 
> password discovered.
> >
> >
> > -Matt
> >
>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
>
_______________________________________________
pLog-svn mailing list
pLog-svn at devel.lifetype.net
http://limedaley.com/mailman/listinfo/plog-svn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: arrayvalidator.class.php
Type: application/octet-stream
Size: 1296 bytes
Desc: not available
Url : http://limedaley.com/pipermail/plog-svn/attachments/20070717/c17bc07c/attachment-0001.obj

More information about the pLog-svn mailing list