possible SQL injection in Subdreamer

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: possible SQL injection in Subdreamer
From: GHC team <foster@xxxxxx>
Date: 18 Mar 2005 20:15:41 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


//*==========================================*//
\\ GHC -> Subdreamer <- ADVISORY
// Product: Subdreamer
\\ Version: Subdreamer Light
// URL: www.subdreamer.com
\\ VULNERABILITY CLASS:  SQL injection
//*==========================================*//

[Product Description]
"Powered by PHP and MySQL, Subdreamer provides the ability to create dynamic 
websites while giving full control over every section of the site. 
A powerful content management system with an amazing skin engine which provides 
users with unique and cool looking skins!" (from homepage).    
Subdreamer is non-free CMS. 
Freeware version - Subdreamer Light - avaliable for download.

[Summary]
 Unsufficient filtration of user input data can lead to SQL injection  
vulnerability .

[Details]
In case if magic_quotes_gpc=0, some global arrays drive through 
addslashes() function.

--[script includes/core.php]--
if(!get_magic_quotes_gpc())  // add slashes if gpc is off
{
  $_POST   = AddSlashesArray($_POST);
  $_GET    = AddSlashesArray($_GET);
  $_COOKIE = AddSlashesArray($_COOKIE);
--[/script includes/core.php]--

But in script's functions variables are defined as "global", not from global 
POST or GET arrays. 
This can lead to avoid filtration with addslashes() if register_global=1. 

--[script includes/core.php]--
if(function_exists('ini_get'))
{
  $globalsoption = ini_get('register_globals');
}
else
{
  $globalsoption = get_cfg_var('register_globals');
}
if($globalsoption != 1)
{
  @extract($HTTP_SERVER_VARS,  EXTR_SKIP);
  @extract($HTTP_COOKIE_VARS,  EXTR_SKIP);
  @extract($HTTP_POST_FILES,   EXTR_SKIP);
  @extract($HTTP_POST_VARS,    EXTR_SKIP);
  @extract($HTTP_GET_VARS,     EXTR_SKIP);
  @extract($HTTP_ENV_VARS,     EXTR_SKIP);
  @extract($HTTP_SESSION_VARS, EXTR_SKIP);
}
--[/script includes/core.php]--

In this case an attacker can make SQL injection assault through some variables 
which are defined as global in functions.

EXAMPLE
+--------------+
|SQL injection |
+--------------+
Vulnerable script: plugins/p17_image_gallery/imagegallery.php   

--[code]-- 
function p17_DisplayImages($sectionid, $start)
{
  global $DB;
  global $categoryid;
  global $p17_imageid;
 [...]
 if(isset($p17_imageid))
 {
 $image = $DB->query_first("SELECT * FROM p17_images WHERE imageid = 
'$p17_imageid'");
 [...]
 <td style="padding-top: 20px;" align="center"><img 
src="plugins/p17_image_gallery/images/'.$image['filename'].'" /></td>
--[/code]--

[Exploit]
http://subdreamer/index.php?categoryid=3&p17_sectionid=1&p17_imageid=[SQL code]
  

/* ================================================== */
/* www.ghc.ru -- security games & challenges          */
/* ================================================== */
/* greets to: 1dt.w0lf & RST.void.ru                  */
/* and e-defense group.                               */
/* ================================================== */

Prev by Date: myPHP Forum v1, 2 & 3
Next by Date: Re: Linux ISO9660 handling flaws
Previous by thread: myPHP Forum v1, 2 & 3
Next by thread: Re: possible SQL injection in Subdreamer
Index(es):
- Date
- Thread