From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 13 Mar 2005 19:40:00 +0200
Subject: [UNIX] paFileDB SQL Injection
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050313175530.2945457C6@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
paFileDB SQL Injection
------------------------------------------------------------------------
SUMMARY
" <http://www.phparena.net/pafiledb.php>; paFileDB is designed to allow web
masters have a database of files for download on their site. To add a
download, all you do is upload the file using FTP or whatever method you
use, log into paFileDB's administration center, and fill out a form to add
a file. paFileDB lets you edit and delete the files too."
The paFileDB product has been found to contain an SQL Injection
vulnerability.
DETAILS
Vulnerable Systems:
* paFileDB version 3.1 and prior
SQL injection:
The $start variable found in the viewall.php and category.php file is
vulnerable for SQL injection attack as it uses the following code:
if ($sortby == "name") {
$result = $pafiledb_sql->query($db, "SELECT * FROM
$db[prefix]_files WHERE file_pin = '0' ORDER BY file_name
ASC LIMIT $start,20", 0);
}
if ($sortby == "date") {
$result = $pafiledb_sql->query($db, "SELECT * FROM
$db[prefix]_files WHERE file_pin = '0' ORDER BY file_time
DESC LIMIT $start,20", 0);
}
if ($sortby == "downloads") {
$result = $pafiledb_sql->query($db, "SELECT * FROM
$db[prefix]_files WHERE file_pin = '0' ORDER BY file_dls
DESC LIMIT $start,20", 0);
}
if ($sortby == "rating") {
$result = $pafiledb_sql->query($db, "SELECT * FROM
$db[prefix]_files WHERE file_pin = '0' ORDER BY
(file_rating/file_totalvotes - 1) DESC LIMIT $start,20", 0);
}
Examples of SQL injections:
http://example.com/[pafiledb_dir]/pafiledb.php?action=viewall&start='
&sortby=rating
http://example.com/[pafiledb_dir]/pafiledb.php?action=category&start='
&sortby=rating
Sample error message:
paFileDB was unable to successfully run a MySQL query.
MySQL Returned this error: You have an error in your SQL syntax near
'\',20' at line 1 Error number: 1064
The query that caused this error was: SELECT * FROM pafiledb_files WHERE
file_pin = '0' ORDER BY
ADDITIONAL INFORMATION
The information has been provided by <mailto:sp3x@securityreason.com.>
sp3x.
The original article can be found at: <http://www.securityreason.com>;
http://www.securityreason.com
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
