Bugtraq mailing list archives
Not SQL injection and XSS in paFileDB?
From: saudi linux <ksa2ksa () yahoo com>
Date: 12 Mar 2005 21:01:47 -0000
In-Reply-To: <20050312182442.22116.qmail () www securityfocus com>
Received: (qmail 27749 invoked from network); 12 Mar 2005 19:45:27 -0000 Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26) by mail.securityfocus.com with SMTP; 12 Mar 2005 19:45:27 -0000 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing2.securityfocus.com (Postfix) with QMQP id 6C68014544F; Sat, 12 Mar 2005 12:52:18 -0700 (MST) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 32145 invoked from network); 12 Mar 2005 04:00:48 -0000 Date: 12 Mar 2005 18:24:42 -0000 Message-ID: <20050312182442.22116.qmail () www securityfocus com> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: SecurityReason <sp3x () securityreason com> To: bugtraq () securityfocus com Subject: [SECURITYREASON.COM] SQL injection and XSS in paFileDB -=[ SecurityReason-2005-SRA#03 ]=- -=[ SQL injection and XSS in paFileDB ]=- Author: sp3x Date: 12 March 2005 Affected software : =================== paFileDB version : =>3.1 Description : ============= paFileDB is designed to allow webmasters have a database of files for download on their site. To add a download, all you do is upload the file using FTP or whatever method you use, log into paFileDB's admin center, and fill out a form to add a file. paFileDB lets you edit and delete the files too. No more messing with a bunch of HTML pages for a file database on your site! Using speedy MySQL for storing data, and powerful PHP for processing everything, paFileDB is one of the best and easiest ways to manage files! SQL injection: ======================= /includes/viewall.php /includes/category.php Code: ------------------------------------------------------------------------------------------------- if ($sortby == "name") { $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_name ASC LIMIT $start,20", 0); } if ($sortby == "date") { $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_time DESC LIMIT $start,20", 0); } if ($sortby == "downloads") { $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_dls DESC LIMIT $start,20", 0); } if ($sortby == "rating") { $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY (file_rating/file_totalvotes - 1) DESC LIMIT $start,20", 0); } -------------------------------------------------------------------------------------------------- As we can see the $start variable is vuln for sql injection attack. But this sql injection for now is not critical , why ? because if we want to inject malicious code to sql sentence after "ORDER BY" or after "LIMIT", then in current MySql versions, all we can do, is to fail the sql request. No UNION-s etc. When we try to inject sql sentence we get : "Wrong usage of UNION and ORDER BY Error number: 1221" so we must wait When Mysql version 4.1 will be widely used then we can have something like this - "ORDER BY desc ASC LIMIT (SELECT our_table FROM pafiledb_admin)...". Examples: ========= Sql injection: -------------- http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start='&sortby=rating http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start='&sortby=rating error message : --------------- paFileDB was unable to successfully run a MySQL query. MySQL Returned this error: You have an error in your SQL syntax near '\',20' at line 1 Error number: 1064 The query that caused this error was: SELECT * FROM pafiledb_files WHERE file_pin = '0' ORDER BY (file_rating/file_totalvotes - 1) DESC LIMIT \',20 Also in this error message we can see the [prefix] pafiledb tables that should be hidden :) And we can insert XSS code in error message for example : Cros Site Scripting (XSS): -------------------------- http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start="><iframe%20src=http://www.securityreason.com></iframe&sortby=ratinghttp://[target]/[pafiledb_dir]/pafiledb.php?action=category&start="><iframe%20src=http://www.securityreason.com></ifram e>&sortby=date error message : --------------- paFileDB was unable to successfully run a MySQL query. MySQL Returned this error: You have an error in your SQL syntax near '[Our XSS]',20' at line 1 Error number: 1064 The query that caused this error was: SELECT * FROM pafiledb_files WHERE file_pin = '0' ORDER BY (file_rating/file_totalvotes - 1) DESC LIMIT [Our XSS]',20 How to fix : ============ Download the new version of the script or update. Vendor : ======== No respond Greetz : ======== Special greetz : cXIb8O3 , pkw :] Contact : ========= sp3x[at]securityreason[dot].com www.securityreason.com
Dear sp3x are you sure this is SQL injection or XSS ? i do not think it's SQL injection becuse u use XSS Vuln in your Bug i hope you read more info about SQL injection
Current thread:
- Not SQL injection and XSS in paFileDB? saudi linux (Mar 14)