lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 26 Mar 2006 20:36:51 +0200
From: "Stefan Keller" <skeller@...ox.com>
To: bugtraq@...urityfocus.com
Subject: AkoComment SQL injection vulnerability


AkoComment is a well known and widely used add-on for the Mambo and
Joomla Content Management Systems. It allows users to post comments to
articles.

AkoComment 2.0 suffers from an SQL injection vulnerability
(components/com_akocomment/akocomment.php):

    # Clear any HTML and SQL injections
    $title   = strip_tags($title);
    $comment = strip_tags($comment);
    $title   = mysql_escape_string($title);
    $comment = mysql_escape_string($comment);

    # Perform database query
    $date      = date( "Y-m-d H:i:s" );
    $ip        = getenv('REMOTE_ADDR');
    $query2 = "INSERT INTO #__akocomment SET contentid='$contentid',
ip='$ip', name='$acname', title='$title', comment='$comment',
date='$date', published='$ac_autopublish';";
    $database->setQuery( $query2 );
    $database->query();

While the user provided comment and comment title is properly
sanitized, the client provided $acname and $contentid are not. These
correspond to hidden, value-prefilled FORM variables in the akocomment
created html form.

It is widely known that just because the values are hidden and not
changeable in a standard web browser doesn't mean they are not client
provided and thus aren't trivially modified.

Since the variables are not sanitized in any way the SQL injection
itself is straight-forward, provided magic_quotes_gpc = off.

Solution:

To fix this vulnerability put the following lines before the "#
Perform database query" line:
    $contentid = intval(strip_tags($contentid));
    $acname = mysql_escape_string(strip_tags($acname));

--
Stefan Keller <skeller@...ox.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ