Date: Sun, 26 Mar 2006 20:36:51 +0200
From: "Stefan Keller" <skeller@pobox.com.>
To: [email protected]Subject: AkoComment SQL injection vulnerability
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-Virus-Scanned: antivirus-gw at tyumen.ru
AkoComment is a well known and widely used add-on for the Mambo and
Joomla Content Management Systems. It allows users to post comments to
articles.
AkoComment 2.0 suffers from an SQL injection vulnerability
(components/com_akocomment/akocomment.php):
# Clear any HTML and SQL injections
$title =3D strip_tags($title);
$comment =3D strip_tags($comment);
$title =3D mysql_escape_string($title);
$comment =3D mysql_escape_string($comment);
# Perform database query
$date =3D date( "Y-m-d H:i:s" );
$ip =3D getenv('REMOTE_ADDR');
$query2 =3D "INSERT INTO #__akocomment SET contentid=3D'$contentid',
ip=3D'$ip', name=3D'$acname', title=3D'$title', comment=3D'$comment',
date=3D'$date', published=3D'$ac_autopublish';";
$database->setQuery( $query2 );
$database->query();
While the user provided comment and comment title is properly
sanitized, the client provided $acname and $contentid are not. These
correspond to hidden, value-prefilled FORM variables in the akocomment
created html form.
It is widely known that just because the values are hidden and not
changeable in a standard web browser doesn't mean they are not client
provided and thus aren't trivially modified.
Since the variables are not sanitized in any way the SQL injection
itself is straight-forward, provided magic_quotes_gpc =3D off.
Solution:
To fix this vulnerability put the following lines before the "#
Perform database query" line:
$contentid =3D intval(strip_tags($contentid));
$acname =3D mysql_escape_string(strip_tags($acname));
--
Stefan Keller <skeller@pobox.com.>
