I was playing with the new ajax "build" earlier today and the new pretty YUI components and found a couple problems with stuff unrelated & related to the ajax stuff [which I noticed that most inputs were verified by oscar :), from those plog-svn change-sets].
<br><br>I've verified these attacks work but truthfully the only important cases exist when you allow public registration for a blog through the lifetype core (or have an untrusted user base), since in order to exploit these vulnerabilities you must have a valid session.
<br><br>There are many parameters passed into AdminPostsListView from AdminEditPostsAction.class.php which are not validated and lead to SQL injection attacks (recovering the admin's md5 password hash for example).<br>
<br>in the performAjax() and perform() methods<br>---<br>lifetype-1.3-ajax/class/action/admin/admineditpostsaction.class.php: <br> "showMonth" => $this->_request->getValue( "showMonth" ),
<br>---<br>which is passed into the following, again unverified...<br>---<br>lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php: $thi<br>s->_showMonth = $this->_getParameter( $params, "showMonth", $this->_locale->form
<br>atDate( new Timestamp(), "%Y%m" ));<br>---<br>This leads to sql injection on almost all of the variables here... You can easily verify this by checking the mysql logs and by looking at the query string before its sent to the database. Since this injection is in the WHERE clause where many bad things can occur. The most pervasive of which are blindsql attacks on the password hashes.
<br><br><br>These parameters are also echo'ed onto the web page unfiltered... <br>---<br>lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php: <br> $pager = new Pager( "?op=editPosts&amp;showMonth={$this->_showMonth}&amp
<br>;showStatus={$this->_showStatus}&amp;showCategory={$this->_showCategory}&amp;sho<br>wUser={$this->_showUser}&amp;searchTerms={$this->_searchTerms}&amp;showLocation=<br>{$this->_locationId}&amp;page="
<br>---<br>leading to XSS with some clever parameters that require the pager to actually display links.<br><br><br>On the severity...<br>The xss vuln not really that important... but even with a semi-trusted userbase the sql injections could lead to the admin having his password discovered.
<br><br><br>-Matt<br>