Topic: Preliminary XSS & SQL Injection Exploits.

TBDev Forum TBDev.net Site News Updates and Rules Preliminary XSS & SQL Injection Exploits.

Preliminary XSS & SQL Injection Exploits.

CoLdFuSiOn	2006-04-29 18:10:00
Group: Member Posts: 2312 Topics participated: 1240 Topics started: 124 First post: 2006-02-25 21:12:00 Last post: 2009-01-03 14:56:00	Some of you may know that I visited your sites and have let you know if your sites are vulnerable. However, I only tested a couple and only with a limited subset of exploits. So just because you never got a reply DOESN'T mean your site is safe! Indeed, further examination reveals that not just a couple of exploits, rather like 20 or more. This applies to the standard source and are inherent (not induced) from the very first original torrentbits snapshots. Also, many of the modifications are vulnerable, especially if "new" coders have copy & pasted parts of the original code & functions. The essential thing to realise (which comes from a complete audit of ALL your source code) is, that never, never echo back user data, unless you're absolutely sure you need to and then it MUST be untainted Furthermore, never ever use supplied data in an SQL query unless you absolutely MUST, and then it MUST be sanitised...if you're expecting an integer, make sure it's an integer; likewise, if you're expecting a "user selected" parameter to change the flow of a script, make sure you never echo it back or atleast make sure it is something you're expecting! Look at the parameters you expect in your scripts and only except them and nothing else! Ther are several ways to acheive this: Simple integers: $id = 0 + $_GET['id']; $id = (int)$_GET['id']; For string & integer parameters there's several ways: Check the longest parameter length and use substr($string, 0, 5) to check the length or match it within a set of "known" parameters with in_array() like: array("cmd" => "command", "cat" => "category" ...) or use something like: function cleanit($array, $index, $maxlength) { if (isset($array["{$index}"])) { $input = substr($array["{$index}"], 0, $maxlength); $input = mysql_real_escape_string($input); return ($input); } return NULL; } For instance, it's unlikely you're gonna have over 100 categories so make sure the integer is only length == 2 with: $catid = cleanit($_GET, "catid", 2); likewise, a string parameter of length 7 $string= cleanit($_POST, "string", 5); Anyway, I might be blinding you with all that, but the biggest culprits are: GET's & POST's that are unchecked and used to display user supplied data, and/or are used directly in SQL queries. The other main culprit is: stderr("error", "That userid $id isn't valid"); stderr("Error", "the postid $postid doesn't exist") removing the variable or using htmlentities() on it goes half way to removing the exploit. ...more to follow.

2006-04-29 20:21:00

Group: Member
Posts: 2312
Topics participated: 1240
Topics started: 124
First post: 2006-02-25 21:12:00
Last post: 2009-01-03 14:56:00

These are just some of the files/areas you need to look at. Not all are exploitable, but then it all depends where your source came from. The bottom line is, make sure everything is untainted.

Thanks go to DRRRR for also working at this.
------------------------------------------------------------------------------------------------
bitbucket-upload.php(33): stderr("Error", "Invalid file name extension: $ext");

browse.php(61): stderr("Error", "Invalid category ID $category");

delacct.php(22): stderr("Success", "The account $username was deleted.");

details.php(193): stderr("Error", "No torrent with ID $id.");

forums.php(145): $arr = mysql_fetch_assoc($res) or stderr("Forum error", "Topic not found.");
forums.php(178): stderr("Error", "No post with ID $postid.");

forums.php(817): stderr("Error", "Invalid topic ID $topicid.");

forums.php(933): stderr("Error", "No post with ID $postid.");
forums.php(941): stderr("Error", "No topic associated with post ID $postid.");

forums.php(1457): stderr("Forum Error", "Unknown action '$action'.");
friends.php(16): stderr("Error", "Invalid ID $userid.");

friends.php(32): stderr("Error", "Invalid ID $$targetid.");
friends.php(45): stderr("Error", "Unknown type $type");
friends.php(49): stderr("Error", "User ID $targetid is already in your $table_is list.");
friends.php(65): stderr("Error", "Invalid ID $userid.");
friends.php(68): stderr("Delete $type","Do you really want to delete a $type? Click\n" .
friends.php(75): stderr("Error", "No friend found with ID $targetid");
friends.php(81): stderr("Error", "No block found with ID $targetid");
friends.php(84): stderr("Error", "Unknown type $type");

makepoll.php(15): stderr("Error","Invalid ID $pollid.");
makepoll.php(19): stderr("Error","No poll found with ID $pollid.");

modtask.php(11): stderr("w00t", $text);

news.php(73): stderr("Error", "No news item with ID $newsid.");

recover.php(13): $arr = mysql_fetch_assoc($res) or stderr("Error", "The email address $email was not found in the database.\n");

recover.php(46): stderr("Success", "A confirmation email has been mailed to $email.\n" .

recover.php(105): stderr("Success", "The new account details have been mailed to $email.\n" .
sendmessage.php(34): stderr("Error", "Permission denied");

takelogin.php(16): stderr("Login failed!", $text);

takemessage.php(83): stderr("Error", "No user with ID $receiver.");

testip.php(18): stderr("Result", "The IP address $ip is not banned.");
testip.php(31): stderr("Result", "

The IP address $ip is banned:

$banstable

");

userhistory.php(261): stderr("History Error", "Unknown action '$action'.");
------------------------------------------------------------------------------------------------

There's more to come, as you can see these are all for sdterr() ... If you're unsure, it's better to remove the variable, unless your absolutely sure. Best way is to follow the variables through the script.

laffin	2006-05-01 17:58:00
Group: Member Posts: 1378 Topics participated: 601 Topics started: 11 First post: 2006-02-25 01:34:00 Last post: 2008-12-22 14:17:00	hey not bad at all

laffin	2006-05-01 20:50:00
Group: Member Posts: 1378 Topics participated: 601 Topics started: 11 First post: 2006-02-25 01:34:00 Last post: 2008-12-22 14:17:00	best hint - dun use user inputted data for display bitbucket-upload.php(33): stderr("Error", "Invalid file name extension: $ext"); to bitbucket-upload.php(33): stderr("Error", "Invalid file name extension"); will work just as well, since the user shud know what file he uploaded and if ya can't escape it use htmlspecialcharacters function or build a special function that will filter out possible exploits recover.php(46): stderr("Success", "A confirmation email has been mailed to $email.\n" to recover.php(46): stderr("Success", "A confirmation email has been mailed to ". htmlspecialchars($email) .".\n"

bodhisattva	2006-05-02 01:35:00
Group: Member Posts: 328 Topics participated: 151 Topics started: 9 First post: 2006-02-25 02:06:00 Last post: 2008-11-14 07:15:00	right on man. thanks.

laffin	2006-05-02 02:45:00
Group: Member Posts: 1378 Topics participated: 601 Topics started: 11 First post: 2006-02-25 01:34:00 Last post: 2008-12-22 14:17:00	blame CF for making me think of a method

thebrass	2006-05-02 03:08:00
Group: Member Posts: 328 Topics participated: 179 Topics started: 48 First post: 2006-02-25 15:11:00 Last post: 2008-09-10 12:19:00	Nice one CoLdFuSiOn thanks for letting us know about these. If there is anything I can do let me know......... sry that i havent been here much the past few days cept to check out the occasional email that i received from here......will try to do better tho

CoLdFuSiOn	2006-05-02 10:20:00
Group: Member Posts: 2312 Topics participated: 1240 Topics started: 124 First post: 2006-02-25 21:12:00 Last post: 2009-01-03 14:56:00	No problem...;) I am a little surprised noone else has commented though, as I know for a fact they have sources that are on the "bendy" side. I would have thought it was a good oppotunity to nip all this in the bud, before it gets released publically...then you'll have every little script-kiddie pumping your tracker with nonsense! LoL Anyway, here's some more items on the agenda...again, not all are exploitable, but i'm not gonna tell you which are, as imo everything should be untainted, even if you think you trust it. Futhermore, even if you're protecting an area with get_user_class < UC_WHATEVER, what if someone has managed to grab a passhash and masquerades as > UC_WHATEVER? Then you're lulled into a false sense of security...he/she can then go onto further esculate their privilages! ------------------------------------------------------------------------------------- comment.php(6): $action = $_GET["action"]; comment.php(192): stderr("Error", "Unknown action $action"); forums.php(10): $action = $_GET["action"]; forums.php(1460): if ($action != "") forums.php(1461): stderr("Forum Error", "Unknown action '$action'."); friends.php(8): $action = $_GET['action']; makepoll.php(9): $action = $_GET["action"]; makepoll.php(12): if ($action == "edit") modtask.php(17): $action = $_POST["action"]; news.php(11): $action = $_GET["action"]; polls.php(6): $action = $_GET["action"]; userhistory.php(16): $action = $_GET["action"]; userhistory.php(252): if ($action != "") userhistory.php(253): stderr("History Error", "Unknown action '$action'.");

laffin	2006-05-02 10:35:00
Group: Member Posts: 1378 Topics participated: 601 Topics started: 11 First post: 2006-02-25 01:34:00 Last post: 2008-12-22 14:17:00	all the if($action) shud be fine. since it's used in a comparitive code only.... just have to make shure there is a default if the compares fail

CoLdFuSiOn	2006-05-02 11:38:00
Group: Member Posts: 2312 Topics participated: 1240 Topics started: 124 First post: 2006-02-25 21:12:00 Last post: 2009-01-03 14:56:00	Look at the top of forums.php ( $action = $_GET["action"];), then scroll down to the unhandled action (stderr("Forum Error", "Unknown action '$action'.");) Ping! Only of low/moderate value, but still.

Similar threads

Topic	Posts	Last post
SQL injection	7	2007-07-13 18:06:00
stop sql injection	2	2008-09-25 18:34:00
Prevent SQL injection	12	2008-07-27 12:19:00
SQL injection bug, in bittorrent.php	17	2008-03-15 09:16:00
Posible SQL injection in details.php	2	2008-01-14 20:16:00

Statistics

Today's active topics ·
User(s) active in the past 30 minutes
	40 Guests, 12 Members 1337, The Black Notes, pumpin-servers, keii, MiDGET, ozziiee, nickelz34, jozy, cTL, Deags, hitmewithmuzak, RazorSA odzyskiwanie danych , bryczki , Płytowe wymienniki ciepła , wspinaczka , Bulgari aqua Fundusze emerytalne w Polsce alveo Kredyt gotówkowy przez internet Kredyty na zakup samochodu Młodzieżowe konta bankowe
Often viewed topics
· Warned users (o... · torrent uppload... · Question about ... · new Message · Invite With Bonus · ballon tooltip · Browse.php · Preliminary XSS... · RSS feed passke... · Save PMs to temp! · Rating using ajax · action script · Torrent Inline ... · Similar torrent... · Ratio Master · Nice signup usi... · New BBCode · Pre-time withou... · last 10 forum ... · Null Announce.
Forthcoming Calendar Events within the next 5 days
	There are no forthcoming calendar events