[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050312210147.11112.qmail@www.securityfocus.com>
Date: 12 Mar 2005 21:01:47 -0000
From: saudi linux <ksa2ksa@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Not SQL injection and XSS in paFileDB?
In-Reply-To: <20050312182442.22116.qmail@....securityfocus.com>
>Received: (qmail 27749 invoked from network); 12 Mar 2005 19:45:27 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 12 Mar 2005 19:45:27 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 6C68014544F; Sat, 12 Mar 2005 12:52:18 -0700 (MST)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 32145 invoked from network); 12 Mar 2005 04:00:48 -0000
>Date: 12 Mar 2005 18:24:42 -0000
>Message-ID: <20050312182442.22116.qmail@....securityfocus.com>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: SecurityReason <sp3x@...urityreason.com>
>To: bugtraq@...urityfocus.com
>Subject: [SECURITYREASON.COM] SQL injection and XSS in paFileDB
>
>
>
>-=[ SecurityReason-2005-SRA#03 ]=-
>
>-=[ SQL injection and XSS in paFileDB ]=-
>
>Author: sp3x
>Date: 12 March 2005
>
>Affected software :
>===================
>paFileDB version : =>3.1
>
>Description :
>=============
>
>paFileDB is designed to allow webmasters have a database of files for download on their site.
>To add a download, all you do is upload the file using FTP or whatever method you use, log
>into paFileDB's admin center, and fill out a form to add a file. paFileDB lets you edit and
>delete the files too.
>No more messing with a bunch of HTML pages for a file database on your site!
>Using speedy MySQL for storing data, and powerful PHP for processing everything, paFileDB is
>one of the best and easiest ways to manage files!
>
>SQL injection:
>=======================
>
>/includes/viewall.php
>/includes/category.php
>
>Code:
>-------------------------------------------------------------------------------------------------
>if ($sortby == "name") {
> $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_name
>
>ASC LIMIT $start,20", 0);
>}
>if ($sortby == "date") {
> $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_time
>
>DESC LIMIT $start,20", 0);
>}
>if ($sortby == "downloads") {
> $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_dls
>
>DESC LIMIT $start,20", 0);
>}
>if ($sortby == "rating") {
> $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY
>
>(file_rating/file_totalvotes - 1) DESC LIMIT $start,20", 0);
>}
>--------------------------------------------------------------------------------------------------
>
>As we can see the $start variable is vuln for sql injection attack.
>But this sql injection for now is not critical , why ? because if we want to inject malicious code to sql sentence
>
>after "ORDER BY" or after "LIMIT", then in current MySql versions, all we can do, is to fail the sql request. No
>
>UNION-s etc. When we try to inject sql sentence we get : "Wrong usage of UNION and ORDER BY Error number: 1221" so we
>
>must wait When Mysql version 4.1 will be widely used then we can have something like this - "ORDER BY desc ASC LIMIT
>
>(SELECT our_table FROM pafiledb_admin)...".
>
>Examples:
>=========
>
>Sql injection:
>--------------
>http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start='&sortby=rating
>http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start='&sortby=rating
>
>error message :
>---------------
>paFileDB was unable to successfully run a MySQL query.
>MySQL Returned this error: You have an error in your SQL syntax near '\',20' at line 1 Error number: 1064
>The query that caused this error was: SELECT * FROM pafiledb_files WHERE file_pin = '0' ORDER BY
>
>(file_rating/file_totalvotes - 1) DESC LIMIT \',20
>
>Also in this error message we can see the [prefix] pafiledb tables that should be hidden :)
>And we can insert XSS code in error message for example :
>
>Cros Site Scripting (XSS):
>--------------------------
>
>http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start="><iframe%20src=http://www.securityreason.com></iframe
>
>>&sortby=rating
>http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start="><iframe%20src=http://www.securityreason.com></ifram
>
>e>&sortby=date
>
>error message :
>---------------
>paFileDB was unable to successfully run a MySQL query.
>MySQL Returned this error: You have an error in your SQL syntax near '[Our XSS]',20' at line 1 Error number: 1064
>The query that caused this error was: SELECT * FROM pafiledb_files WHERE file_pin = '0' ORDER BY
>
>(file_rating/file_totalvotes - 1) DESC LIMIT [Our XSS]',20
>
>How to fix :
>============
>
>Download the new version of the script or update.
>
>Vendor :
>========
>
>No respond
>
>
>Greetz :
>========
>
>Special greetz : cXIb8O3 , pkw :]
>
>Contact :
>=========
>
>sp3x[at]securityreason[dot].com
>www.securityreason.com
>
Dear sp3x
are you sure this is SQL injection or XSS ?
i do not think it's SQL injection becuse u use XSS Vuln in your Bug
i hope you read more info about SQL injection
Powered by blists - more mailing lists