[VIM] verified SQL injection in IntegraMOD 1.4.0 (source inspection)
Steven M. Christey
coley at mitre.org
Mon Jun 12 17:44:10 EDT 2006
Ref:
BUGTRAQ:20060606 Multiple Sql injection and XSS in integramod portal
URL:http://www.securityfocus.com/archive/1/archive/1/436457/100/0/threaded
Some VDB's didn't list the SQL injection, but they listed the XSS.
notice in the Bugtraq post that the demo URL is:
http://target/index.php?STYLE_URL=%2527
which decodes to "%27" which, itself, decodes to "'"
So, we have SQL injection by double-decoding.
from includes/functions.php of a 1.4.0 download:
if ( isset($HTTP_POST_VARS[STYLE_URL]) || isset($HTTP_GET_VARS[STYLE_URL]) )
{
$style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] : $HTTP_GET_VARS[STYLE_URL] );
if ( $theme = setup_style($style) )
{
....
if ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']) )
{
$style = $HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style'];
if ( $theme = setup_style($style) )
{
...
function setup_style($style)
{
global $db, $board_config, $template, $images, $phpbb_root_path, $var_cache, $portal_config, $current_template_path;
// BEGIN Style Select MOD
if ( intval($style) == 0 )
{
$sql = "SELECT themes_id
FROM " . THEMES_TABLE . "
WHERE style_name = '$style'";
So... setup_style() checks if its $style argument equates to an
integer value of 0, which is the case with most arbitrary non-numeric
strings as I understand it.
But it then just feeds '$style' into a SQL query.
I would venture a guess that the "%2527" string is first decoded to
"%27" by PHP itself (this is mentioned in a comment in the online PHP
manual entry for urlencode), and then the "urldecode" call will then
translate the "%27" to a "'".
- Steve
More information about the VIM
mailing list