lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu Jun  2 15:26:13 2005
From: research at sec-consult.com (Bernhard Müller)
Subject: SEC-CONSULT SA20050602-2 :: Exhibit Engine Blind
	SQL Injection

SEC-CONSULT Security Advisory 20050602-2
=============================================================================
                  title: Exhibit Engine Blind SQL Injection
                program: Exhibit Engine
     vulnerable version: 1.22, 1.54 RC4
               homepage: http://photography-on-the.net/ee/
                         http://photography-on-the.net/ee/beta/
                  found: 2005-06-01
                     by: sk0L / SEC-CONSULT / www.sec-consult.com
=============================================================================

vendor description:
---------------
the Exhibit engine is a PHP/MySQL application for smooth and versatile
online photograph
display. it's especially designed to give detailed technical info on
each photo, with text
descriptions and gear info, but all that technical data is not required.


vulnerabilty overview:
---------------
SQL injection is possible on various POST parameters in the script
list.php. although
there is no way to get any output from UNION statements, there is at
least one possibility
to read arbitrary database entries via blind SQL injection.


proof of concept:
---------------

here's the relevant code section from list.php:

---- code -----

$resultcount = mysql_query(
"
SELECT
    ee_photo.ee_photo_id
FROM
    [...]
WHERE
    ee_photo.ee_photo_for_www = 'yes'
    AND $search_row LIKE '$wildcard1$keyword$wildcard2'
    AND ...
"
    );

if (!$resultcount) {
    $queryname = "resultcount";
    include("db_error.php");
}


$total = mysql_num_rows($resultcount);
$how_many = count($count_total);
if ($offset>$how_many)
{$offset = $how_many;
}

$fetchlist = mysql_query(
"
SELECT
    $q0,$q1,...,$q43
FROM
    ee_photo,
    [...]
    ee_order_to_exhibition
WHERE
    ee_photo.ee_photo_for_www = 'yes'
    [...]
    AND ee_exhibition.ee_exhibition_pass = '$pass'
ORDER
    by $sort_row $order
LIMIT
    $offset,$perpage
"
    );

---- /code ----

we can inject SQL into the variables $search_row, $sort_row, $order and
$perpage without the need to escape any quotes. unfortunately, UNIONs can
be put into $rearch_row only, and as $search_row is used in both queries
with a different number of columns, this will inevitably produce an error.
we can use blind sql injection, though:

* set $offset=1
* put injection string into $search_row, e.g.:

search_row=ee_photo.ee_photo_exif_iso%3D1+AND+1%3D2+UNION+SELECT+user+FROM+mysql.user+WHERE+user+LIKE+0x254125+/*+
* if we get 1 (TRUE), offset will be set to 1, FALSE will set it to 0.
* now we still have to produce an error in the second query by
  specifying some insane $order or $sort_row. the last part of the
  SQL error message will be echoed by Exhibit, so we get the value of
  $offset.

it should be relatively easy to code an exploit for this (sorry but i
don't have
the time atm).


vulnerable versions:
---------------

Exhibit Engine v1.22 is definitely vulnerable. 1.54 RC4 seems to be
vulnerable
too, although exploitation may differ slightly.
it is very likely that the vulnerability exists in most other versions of
Exhibit Engine.


vendor status:
---------------
vendor notified: 2005-06-01
vendor response: immediately
patch available: 2005-06-02

Pekka Saarinen has published a workaround for all current versions of
Exhibit Engine. It is available at:

http://photography-on-the.net/forum/showthread.php?p=579692

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bernhard Mueller / www.sec-consult.com /
SGT ::: dfa, tke, bfi, mei, flo, walter|bruder :::

~    ___   ___
~   |   |=|_.'   .'|   .'|   .'|=|`.     .'|
~   `.  |      .'  | .' .' .'  | |  `. .'  |
 ==== `.|=|`.  |   |=|.:   |   | |   | |   |  ======
~    ___  |  `.|   |   |'. `.  | |  .' |   |  ___
~    `._|=|___||___|   |_|   `.|=|.'   |___|=|_.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ