possible SQL injection in Subdreamer
//*==========================================*//
\\ GHC -> Subdreamer <- ADVISORY
// Product: Subdreamer
\\ Version: Subdreamer Light
// URL: www.subdreamer.com
\\ VULNERABILITY CLASS: SQL injection
//*==========================================*//
[Product Description]
"Powered by PHP and MySQL, Subdreamer provides the ability to create dynamic
websites while giving full control over every section of the site.
A powerful content management system with an amazing skin engine which provides
users with unique and cool looking skins!" (from homepage).
Subdreamer is non-free CMS.
Freeware version - Subdreamer Light - avaliable for download.
[Summary]
Unsufficient filtration of user input data can lead to SQL injection
vulnerability .
[Details]
In case if magic_quotes_gpc=0, some global arrays drive through
addslashes() function.
--[script includes/core.php]--
if(!get_magic_quotes_gpc()) // add slashes if gpc is off
{
$_POST = AddSlashesArray($_POST);
$_GET = AddSlashesArray($_GET);
$_COOKIE = AddSlashesArray($_COOKIE);
--[/script includes/core.php]--
But in script's functions variables are defined as "global", not from global
POST or GET arrays.
This can lead to avoid filtration with addslashes() if register_global=1.
--[script includes/core.php]--
if(function_exists('ini_get'))
{
$globalsoption = ini_get('register_globals');
}
else
{
$globalsoption = get_cfg_var('register_globals');
}
if($globalsoption != 1)
{
@extract($HTTP_SERVER_VARS, EXTR_SKIP);
@extract($HTTP_COOKIE_VARS, EXTR_SKIP);
@extract($HTTP_POST_FILES, EXTR_SKIP);
@extract($HTTP_POST_VARS, EXTR_SKIP);
@extract($HTTP_GET_VARS, EXTR_SKIP);
@extract($HTTP_ENV_VARS, EXTR_SKIP);
@extract($HTTP_SESSION_VARS, EXTR_SKIP);
}
--[/script includes/core.php]--
In this case an attacker can make SQL injection assault through some variables
which are defined as global in functions.
EXAMPLE
+--------------+
|SQL injection |
+--------------+
Vulnerable script: plugins/p17_image_gallery/imagegallery.php
--[code]--
function p17_DisplayImages($sectionid, $start)
{
global $DB;
global $categoryid;
global $p17_imageid;
[...]
if(isset($p17_imageid))
{
$image = $DB->query_first("SELECT * FROM p17_images WHERE imageid =
'$p17_imageid'");
[...]
<td style="padding-top: 20px;" align="center"><img
src="plugins/p17_image_gallery/images/'.$image['filename'].'" /></td>
--[/code]--
[Exploit]
http://subdreamer/index.php?categoryid=3&p17_sectionid=1&p17_imageid=[SQL code]
/* ================================================== */
/* www.ghc.ru -- security games & challenges */
/* ================================================== */
/* greets to: 1dt.w0lf & RST.void.ru */
/* and e-defense group. */
/* ================================================== */