lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050318201541.27159.qmail@www.securityfocus.com> Date: 18 Mar 2005 20:15:41 -0000 From: GHC team <foster@....ru> To: bugtraq@...urityfocus.com Subject: possible SQL injection in Subdreamer //*==========================================*// \\ GHC -> Subdreamer <- ADVISORY // Product: Subdreamer \\ Version: Subdreamer Light // URL: www.subdreamer.com \\ VULNERABILITY CLASS: SQL injection //*==========================================*// [Product Description] "Powered by PHP and MySQL, Subdreamer provides the ability to create dynamic websites while giving full control over every section of the site. A powerful content management system with an amazing skin engine which provides users with unique and cool looking skins!" (from homepage). Subdreamer is non-free CMS. Freeware version - Subdreamer Light - avaliable for download. [Summary] Unsufficient filtration of user input data can lead to SQL injection vulnerability . [Details] In case if magic_quotes_gpc=0, some global arrays drive through addslashes() function. --[script includes/core.php]-- if(!get_magic_quotes_gpc()) // add slashes if gpc is off { $_POST = AddSlashesArray($_POST); $_GET = AddSlashesArray($_GET); $_COOKIE = AddSlashesArray($_COOKIE); --[/script includes/core.php]-- But in script's functions variables are defined as "global", not from global POST or GET arrays. This can lead to avoid filtration with addslashes() if register_global=1. --[script includes/core.php]-- if(function_exists('ini_get')) { $globalsoption = ini_get('register_globals'); } else { $globalsoption = get_cfg_var('register_globals'); } if($globalsoption != 1) { @extract($HTTP_SERVER_VARS, EXTR_SKIP); @extract($HTTP_COOKIE_VARS, EXTR_SKIP); @extract($HTTP_POST_FILES, EXTR_SKIP); @extract($HTTP_POST_VARS, EXTR_SKIP); @extract($HTTP_GET_VARS, EXTR_SKIP); @extract($HTTP_ENV_VARS, EXTR_SKIP); @extract($HTTP_SESSION_VARS, EXTR_SKIP); } --[/script includes/core.php]-- In this case an attacker can make SQL injection assault through some variables which are defined as global in functions. EXAMPLE +--------------+ |SQL injection | +--------------+ Vulnerable script: plugins/p17_image_gallery/imagegallery.php --[code]-- function p17_DisplayImages($sectionid, $start) { global $DB; global $categoryid; global $p17_imageid; [...] if(isset($p17_imageid)) { $image = $DB->query_first("SELECT * FROM p17_images WHERE imageid = '$p17_imageid'"); [...] <td style="padding-top: 20px;" align="center"><img src="plugins/p17_image_gallery/images/'.$image['filename'].'" /></td> --[/code]-- [Exploit] http://subdreamer/index.php?categoryid=3&p17_sectionid=1&p17_imageid=[SQL code] /* ================================================== */ /* www.ghc.ru -- security games & challenges */ /* ================================================== */ /* greets to: 1dt.w0lf & RST.void.ru */ /* and e-defense group. */ /* ================================================== */
Powered by blists - more mailing lists