[VIM] RE: Alternate theory on OvBB "SQL" vulnerability (fwd)

Steven M. Christey coley at linus.mitre.org
Wed Nov 30 19:39:50 EST 2005


Vindication!  woo-hoo! :)

---------- Forwarded message ----------
Date: Wed, 30 Nov 2005 18:37:38 -0600
From: J. Freeman <jon at ovbb.org>
To: Steven M. Christey <coley at mitre.org>
Subject: RE: Alternate theory on OvBB "SQL" vulnerability

Hi Steve,

Okay, I've looked this over, and I think I understand what's happened.

Like you suggested, the invalid SQL caused an error to be generated. (This
even happens when error reporting is kept at its default.)
Said error triggered my database error handler, the output of which r0t
received.

If that's all there was to it, he would have only received a message saying
there's something wrong with the database--not enough to presume an exploit
had been made.

HOWEVER... before publishing this latest version, I forgot to turn *off*
verbose output in said handler (which essentially shows all previous SQL
queries). r0t probably saw all those previous queries and assumed he had
successfully exploited a vulnerability.

Anyway, I'll fix this by typecasting the user's input to an integer, as well
as turning OFF my handler's verbose output.

Thanks for helping me figure this out. How did you hear about this?


Regards,

J. Freeman


-----Original Message-----
From: Steven M. Christey [mailto:coley at mitre.org]
Sent: Wednesday, November 30, 2005 12:16 AM
To: jon at ovbb.org
Cc: coley at mitre.org
Subject: Alternate theory on OvBB "SQL" vulnerability



Hello,

I'm a vulnerability researcher for CVE, a standard naming scheme for
vulnerabilities.

I looked at the source code for 0.08a and see how you used
mysql_real_escape_string to sanitize the parameters in question.

However, you don't check that they are numeric.

If someone has PHP verbose errors on, and you provide the parameters
with a non-numeric argument, then would it generate a SQL error that
complains about the bad data type?

This could be what r0t saw that made him think it's SQL injection.
This is a common diagnostic error made by many beginning researchers.

- Steve



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 11/30/2005

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 11/30/2005




More information about the VIM mailing list