Hello all,
I posted a few days ago regarding a spontaneous offer for help solving a security issue we didn't even know we had that seemed to be a scam. It turns out that the person who wrote does know one of my fellow archivists and has written again with more details which I paste below. Quite frankly, I'm the most tech savvy in my archive and this means nothing to me. I can even figure out how to test what this person's saying, but it looks really detailed and the person only offers to review the code which can easily be obtainend online. Here's the email text:
The Automated LoM has a series of major security issues.
I'm not sure your level of technical ability, so please forgive me if this sounds condescending.
There is a huge amount of direct SQL injection going on.
Whenever input is taken directly from a user and passed into a statement (like, $query = 'select this, that from here where username = ' . $_POST['username'];'; ), a user can manipulate the database. To do pretty much anything that they want.
Here's another example.
If I used the username whatever and the password
' or '1'=1;
how would the query look?
select username, password from usertable where username = 'whatever' and password = '' or '1'=1;
Since 1 does equal 1, then it would simply return the entire database.
Now, that won't actually work on LoM, because it doesn't output the query. It just uses it.
But it would be fairly simplistic to design a query to, say, change the password of the administrator. Or, delete all usernames. Change all stories to the text 'fuckyou'.
Anything I wanted. The database - and the system - would be mine to control.
We have only installed the efiction files as in the instructions and we are running version 3.3.1. The archive is located at http://www.libraryofmoria.com/a/.
Any opinions if it is indeed as easy as this person says to hack into the archive?
Cheers,
Talullah
Where does it have that?
I was under the impression all inputted data was escapestring()'d. π
That aside, however, it is very possible to manipulate user data ... using unvalidated user input isn't the best of ideas. (that is, putting $_POST/$_GET etc straight into a query) So yes, it is easy...but again, I believe all user data was escaped in eFic.
Ask them where they found examples of that code?
archive:
site:
Available for skin/mod commission! π
Well, I tried that and, while there is a problem, there does not appear to be a security issue. I was able to register with the password given, but it would not let me log in using that same password, probably because, like Jenny said, the passwords use escapestring, though I don't know enough about it to be sure.
Passwords are md5 encrypted so even if you chose a password like:
' or '1'=1;
the script will md5 encrypt it before it gets sent to the database both on registration and when logging in. So what gets sent to the database is the encrypted string something like:
23sd89a2sdf8972w3sdf2
The usernames and all input are checked using various methods to ensure SQL injection doesn't occur. For instance, numbers are checked with the isNumber( ) function. There could certainly be places where something has gotten missed, but this isn't one of them. Frankly, sounds like this guy has read something on the internet and thinks he knows more than he does.
I would suggest you update to 3.4.3, but the 3.3.1 to 3.4 update was not security related. It was for the optimization of the co-authors function and fixing of a few bugs so there are no known security threats on 3.4.
Ask him for specific points where he believes the script is vulnerable with instructions. If he wants money, tell him you want one specific example with instructions/documentation for free as a good faith gesture.
There's been 1 secunia advisory about eFiction 3.x. It was in February 2007.
http://secunia.com/product/13548/?task=advisories
So I would hazard a guess that we're pretty secure.
Hi,
The person sent us a screen cap of him logged in as administrator at our site. He didn't give details of how he did it or what he plans to do.
Now I am officially concerned.
I wrote him and asked him to join the forum and discuss the issue directly with the people who know PHP/MySQL.
Let's hope he shows up and tells us something.
Cheers,
Tal
(just as a side note - I upgraded the archive this morning to v 3.4.3 and he was showing that already in the screencap)
Can you send me the screencap? Feel free to PM it for security.
What he sent doesn't have sensitive information so I'm posting it here.
This is an image of our admin panel ipsis verbis. As I said I'm woefully ignorant in what comes to PHP/MySQL issues so I've no idea if someone who's not an administrator could have access to that page... but I'm guessing not.
So far he hasn't replied my email but I sent it just last night. There was another email from him before that where he didn't mention a specific part of the archive with problems but he made a brief reference to 'comments'. Just as a side note, I wasn't involved in communicating with this person until now, since I ignored his first email and then he started contacting with one of my partners in crime.
Also he made the following comment:
There's no standard function escapestring() in PHP. Does she mean mysql_real_escape_string()? That would be effective. (Whereas relying on magic quotes are not an acceptable solution)
I haven't actually seen the code. I've just ran queries that seemed to break the site in ways that is indicative of SQL injection. To be definitive, I'd need to see a copy of the code itself, rather than the output it generates.
At that point my colleague suggested for the first time that he joined this forum and talked directly with you gals.
*sigh* I imagine this is also frustrating for you as the people mediating are utterly ignorant.
We would appreciate any light you can shed on this.
Thanks
Tal
Tal, this just smells immensely fishy, as Tammy said efiction is just very secure.He doesn't have to ask you for the code if the efiction code is just available as open source. He can always get it himself instead of asking you to breach your own site security. It's just a thought.
We use a custom escapestring function to pass to the correct version of php's functions (there are 2 and the correct one to use depends on the version of php you're using). The only 2 places we have something like comments is comments in the news and reviews, but both of those are escaped.
Check your phpinfo information and let us know if you have register_globals set to on.
Tammy, thanks for following this.
We do have register_globals set to on both for local value and global value.
I never changed anything related to our PHP settings - I wouldn't even know where to begin. Did I do wrong?
Again, thanks - I really appreciate you taking the time to look into this.
-----
Rhapsody - yeah that was also our thought so we gave him the link to this site too and we've invited him now three times to join the forum and discuss this directly with the people who know what they are doing... I haven't seen him around...
I feel like I could use a long whining session but I'll spare you. π
Thanks for following this.
Cheers
Tal
Register_globals on is much less secure than register_globals off. He's talking about using sql injection, but as I said, everything he's talking about is escaped to prevent just that.
