[pLog-svn] [Lifetype] Multiple SQL Injections in AdminPostsList interfaces & a XSS vuln
Mark Wu
markplace at gmail.com
Tue Jul 17 02:51:43 EDT 2007
mmmm ....
So, now we can use
$postIdsValidator = new ArrayValidator( new IntegerValidator() );
$postIdsValidator->validate( $postIds );
To validate post ids ...
Mark
-----Original Message-----
From: plog-svn-bounces at devel.lifetype.net
[mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Oscar Renalias
Sent: Tuesday, July 17, 2007 2:24 PM
To: LifeType Developer List
Subject: Re: [pLog-svn] [Lifetype] Multiple SQL Injections in AdminPostsList
interfaces & a XSS vuln
Why a Rule class and not a whole Validator class? When we validate integers
we always use IntegerValidator rather than IntRule so why would you only use
IntRule to validate an array of integers?
How about this:
$v = new ArrayValidator( new IntegerValidator());
Additionally, if we manage to specify the validation class for each one of
the items in the constructor itself we can get rid of one line of code
$v->addElementValidator(blahblah) :-)
Oscar
On 7/17/07, Mark Wu <markplace at gmail.com> wrote:
>
>
> Hi Matt:
>
> I did not test it yet. But through the new method addElemetRule() in
> ArrayValidator, I think we can make the ArrayValidator to validate
> each array element following our rules.
>
> It may solve the ArrayValidator issues you mentioned.
>
> Take the $postIds for example, we can validate it use the following code:
>
>
> $postIdsArrayValidator = new ArrayValidator();
> $arrayValidator->addElementRule( new IntRule() );
>
> $validateOk = $postIdsArrayValidator ->validate( $postIds );
>
> If( $validateOk )
> render normal view
> else
> render error view
>
> Mark
>
> ________________________________
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Matt Wood
> Sent: Tuesday, July 17, 2007 11:14 AM
> To: plog-svn at devel.lifetype.net
> Subject: Re: [pLog-svn] [Lifetype] Multiple SQL Injections in Admin
> PostsList interfaces & a XSS vuln
>
>
> Firstly,
>
> I would like to thank Oscar and the other devs for putting lots of
> hard work into the development of this project. By posting this
> information I am not trying to deride or attack Lifetype/pLog at all,
> I use this software plenty, and have been around for a while. So guys
don't take this the wrong way...
> I'm just trying to use my expertise to contribute and point out what I
> see; hopefully making this a better software platform.
>
> And part II commences...
>
> Any (admin especially) action that relies solely on the ArrayValidator
> does not actually have any validation occur. Assuming that if the data
> passed in parses into an array is not sufficient, it is just as easily
> to attack with an array of values.
>
> With this you can arbitrarily insert sql into something when deleting
> post IDs [for example]. This can lead to the destruction of tables
> since at least mysql allows multiple delete commands. If the user has
> delete permission on anything in the database, he/she can effectively
delete anything at all.
>
> Again this only matters if you have untrusted users.
>
> -Matt
>
>
> On 7/16/07, Matt Wood <matt at woodzy.com > wrote:
> > I was playing with the new ajax "build" earlier today and the new
> > pretty
> YUI components and found a couple problems with stuff unrelated &
> related to the ajax stuff [which I noticed that most inputs were
> verified by oscar :), from those plog-svn change-sets].
> >
> > I've verified these attacks work but truthfully the only important
> > cases
> exist when you allow public registration for a blog through the
> lifetype core (or have an untrusted user base), since in order to
> exploit these vulnerabilities you must have a valid session.
> >
> > There are many parameters passed into AdminPostsListView from
> AdminEditPostsAction.class.php which are not validated and lead to SQL
> injection attacks (recovering the admin's md5 password hash for example).
> >
> > in the performAjax() and perform() methods
> > ---
> >
> lifetype-1.3-ajax/class/action/admin/admineditpostsaction.class.php:
>
>
> > "showMonth" => $this->_request->getValue(
> > "showMonth" ),
> > ---
> > which is passed into the following, again unverified...
> > ---
> >
> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
> $thi
> > s->_showMonth = $this->_getParameter( $params, "showMonth",
> $this->_locale->form
> > atDate( new Timestamp(), "%Y%m" ));
> > ---
> > This leads to sql injection on almost all of the variables here...
> > You can
> easily verify this by checking the mysql logs and by looking at the
> query string before its sent to the database. Since this injection is
> in the WHERE clause where many bad things can occur. The most
> pervasive of which are blindsql attacks on the password hashes.
> >
> >
> > These parameters are also echo'ed onto the web page unfiltered...
> > ---
> >
> lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
>
> > $pager = new Pager(
> "?op=editPosts&showMonth={$this->_showMonth}&
> >
> ;showStatus={$this->_showStatus}&showCategory={$this->_showCategor
> y}&sho
> >
> wUser={$this->_showUser}&searchTerms={$this->_searchTerms}&sho
> wLocation=
> > {$this->_locationId}&page="
> > ---
> > leading to XSS with some clever parameters that require the pager to
> actually display links.
> >
> >
> > On the severity...
> > The xss vuln not really that important... but even with a
> > semi-trusted
> userbase the sql injections could lead to the admin having his
> password discovered.
> >
> >
> > -Matt
> >
>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
>
_______________________________________________
pLog-svn mailing list
pLog-svn at devel.lifetype.net
http://limedaley.com/mailman/listinfo/plog-svn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: arrayvalidator.class.php
Type: application/octet-stream
Size: 1296 bytes
Desc: not available
Url : http://limedaley.com/pipermail/plog-svn/attachments/20070717/c17bc07c/attachment-0001.obj
More information about the pLog-svn
mailing list