<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3132" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=053305004-17072007><FONT face=新細明體
color=#0000ff size=2>mmmm ... For this issue.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=053305004-17072007><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=053305004-17072007><FONT face=新細明體
color=#0000ff size=2>Then, I think we should add validator to each parameters
... :(</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=053305004-17072007><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=053305004-17072007><FONT face=新細明體
color=#0000ff size=2>Mark</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=zh-tw dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> plog-svn-bounces@devel.lifetype.net
[mailto:plog-svn-bounces@devel.lifetype.net] <B>On Behalf Of </B>Matt
Wood<BR><B>Sent:</B> Tuesday, July 17, 2007 10:31 AM<BR><B>To:</B>
plog-svn@devel.lifetype.net<BR><B>Subject:</B> [pLog-svn] [Lifetype] Multiple
SQL Injections in Admin Posts Listinterfaces & a XSS
vuln<BR></FONT><BR></DIV>
<DIV></DIV>I was playing with the new ajax "build" earlier today and the new
pretty YUI components and found a couple problems with stuff unrelated &
related to the ajax stuff [which I noticed that most inputs were verified by
oscar :), from those plog-svn change-sets]. <BR><BR>I've verified these attacks
work but truthfully the only important cases exist when you allow public
registration for a blog through the lifetype core (or have an untrusted user
base), since in order to exploit these vulnerabilities you must have a valid
session. <BR><BR>There are many parameters passed into AdminPostsListView from
AdminEditPostsAction.class.php which are not validated and lead to SQL injection
attacks (recovering the admin's md5 password hash for example).<BR><BR>in the
performAjax() and perform()
methods<BR>---<BR>lifetype-1.3-ajax/class/action/admin/admineditpostsaction.class.php:
<BR>
"showMonth" => $this->_request->getValue( "showMonth" ),
<BR>---<BR>which is passed into the following, again
unverified...<BR>---<BR>lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
$thi<BR>s->_showMonth = $this->_getParameter( $params, "showMonth",
$this->_locale->form <BR>atDate( new Timestamp(), "%Y%m"
));<BR>---<BR>This leads to sql injection on almost all of the variables here...
You can easily verify this by checking the mysql logs and by looking at the
query string before its sent to the database. Since this injection is in the
WHERE clause where many bad things can occur. The most pervasive of which are
blindsql attacks on the password hashes. <BR><BR><BR>These parameters are also
echo'ed onto the web page unfiltered...
<BR>---<BR>lifetype-1.3-ajax/class/view/admin/adminpostslistview.class.php:
<BR> $pager = new Pager(
"?op=editPosts&amp;showMonth={$this->_showMonth}&amp
<BR>;showStatus={$this->_showStatus}&amp;showCategory={$this->_showCategory}&amp;sho<BR>wUser={$this->_showUser}&amp;searchTerms={$this->_searchTerms}&amp;showLocation=<BR>{$this->_locationId}&amp;page="
<BR>---<BR>leading to XSS with some clever parameters that require the pager to
actually display links.<BR><BR><BR>On the severity...<BR>The xss vuln not really
that important... but even with a semi-trusted userbase the sql injections could
lead to the admin having his password discovered.
<BR><BR><BR>-Matt<BR></BODY></HTML>