[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module
From: Janek Vind <come2waraxe () yahoo ! com>
Date: 2005-01-12 22:55:07
Message-ID: 20050113030805.16723.qmail () www ! securityfocus ! com
[Download RAW message or body]
{================================================================================}
{ [waraxe-2005-SA#039] }
{================================================================================}
{ }
{ [ Critical Sql Injection in Sgallery module for PhpNuke ] }
{ }
{================================================================================}
\
Author: Janek Vind "waraxe"
Date: 12. January 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-39.html
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Module's Name: SGallery
Module's Version: 1.01
Module's Description: Simple JPG image gallery
License: GNU/GPL
Author's Name: Sergey Kiselev
Author's Email: ser@acmetelecom.ru
Homepage: http://www.ser.acmetelecom.ru
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let's look at source code from imageview.php:
----------------[ original code ]---------------
require_once("$DOCUMENT_ROOT/config.php");
require_once("$DOCUMENT_ROOT/includes/sql_layer.php");
$dbi = sql_connect ($dbhost,$dbuname,$dbpass,$dbname);
if ($idalbum) {
$result = sql_query("select picture from ".$prefix."_SGalbums where \
idalbum=".$idalbum,$dbi); } elseif ($idimage) {
$result = sql_query("select picture from ".$prefix."_SGimages where \
idimage=".$idimage,$dbi); }
list($echo) = sql_fetch_row($result, $dbi);
sql_free_result($result);
sql_logout ($dbi);
header ("Content-Type: image/jpeg");
echo $echo;
----------------[ /original code ]---------------
Now let's analyze the weak points.
A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If "$idalbum" and "$idimage" are both unset, then because of the open "if/elseif" \
construction there variable "$result" will be unset or can be poisoned through \
GET/POST/COOKIE. And next call of the "sql_fetch_row()" will trigger generic php \
error messages, leading to full path disclosure. Path disclosure is considered as low \
level security threat, but anyway it's useful for further malicious actions.
B - Potential arbitrary file inclusion:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This kind of code construction as
require_once("$DOCUMENT_ROOT/config.php");
require_once("$DOCUMENT_ROOT/includes/sql_layer.php");
is not very secure. Depending of the webserver software vendor,version number and \
configuration settings it can lead to arbitrary file inclusion and possible remote \
file inclusion.
C - Critical sql injection bug in "imageview.php":
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Looking at source code, presented above, we can see unsecure sql queries directed to \
the database. To be excact, user submitted variables "$idalbum" and/or "$idimage" are \
used in sql "SELECT" clause without escaping with single quotes. This is clearly sql \
injection bug. Further exploitation will depend on database software and version. In \
case of the mysql version 4.x with UNION functionality enabled, arbitrary data can be \
retrieved from database, inluding admin(s) authentication credentials. Traditionally, \
there is the proof of concept:
----------------[ real life exploit ]---------------
http://localhost/nuke75/modules/Sgallery/imageview.php?idimage=-99/**/UNION/
**/SELECT/**/pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1
----------------[/real life exploit ]---------------
Best browser to test this POC is MSIE - it will show plaintext admin password's md5 \
hash as needed. Firefox and other browsers will mostly rendering out "broken picture" \
because of the "Content-Type: image/jpeg" header. But anyway, sql injection exists, \
can be exploited and must be fixed by vendor as soon as possible.
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Developer first contacted: 16. November 2004
No response from developer after multiple sent emails.
Downloadable version of the Sgalley is still unpatched.
How to fix this security hole - http://www.waraxe.us/forums.html
Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Base64 encoder and decoder - http://base64-encoder-online.waraxe.us/
SiteMapper - free php script for phpNuke powered websites - \
http://sitemapper.waraxe.us/ It's easy to install solution for making phpNuke more \
Google friendly!
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to icenix, Raido Kerna, g0df4th3r and slimjim100!
Tervitused - Heintz!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic