[PHP-CHECKER] 99 potential SQL injection vulnerabilities
Hi, we are a group of Stanford researchers and we have recently
developed an automated tool for detecting injection vulnerabilities in
PHP. We ran our tool on the following list of software and found 99
potential security vulnerabilites (inspected bug reports attached
below):
e107 -- v0.7
myBloggie -- v2.1.3beta
utopia NewPro -- v1.1.4
DCP Portal -- v6.1.1
PHP Webthings -- v1.4 patched
The tool detects unsanitized user input that subsequently flow into
SQL queries. With slight modifications, it can also find potential XSS
vulnerabilities by inspecting strings echo'ed back as HTML output.
Most of which seem remotely exploitable, and we have notified vendors
of confirmed exploits. We decided not to publish exploits for the
interest of web sites that have deployed such software.
More detailed information, including proof of concept exploits (vendor
notified, and since patched), about the tool can be obtained from the
links below.
We'll appreciate any comments and feedbacks regarding the tool and the
results.
Thanks,
Yichen Xie
For more information:
http://glide.stanford.edu/yichen/research/sec.ps
http://glide.stanford.edu/yichen/research/sec.pdf
==========
PHP-fusion
==========
==============
Utopia NewsPro
==============
8 potentially exploitable vulnerabilities
ERROR: ./editnews.php:@main: _POST#g["newsid"]
----------------------------------------------
This error occurs at lines 24-25 in editnews.php. User input
_POST["newsid"] may directly flow into the SQL query below, resulting
in a potentially exploitable SQL injection vulnerability.
ERROR: ./faq.php:@main: _GET#g["catid"]
---------------------------------------
This error occurs at lines 61-62 in faq.php. We believe user input
_GET["catid"] is improperly checked in the following line: the regular
expression seem to only check the existence of a number. It is
probably missing "^" and "$" that ensures "catid" _is_ a number.
ERROR: ./faq.php:@main: _GET#g["question"]
------------------------------------------
Lines 107-108 in faq.php. Similar as above.
ERROR: ./postnews.php:@main: _POST#g["poster"]
----------------------------------------------
Line 28: $newsposter is not validated before being passed into the
query string at line 42.
ERROR: ./templates.php:@main: _POST#g["tempid"]
-----------------------------------------------
Line 33: $tempid is not validated before being passed into the query
string at line 40.
ERROR: ./users.php:@main: _GET#g["userid"]
------------------------------------------
Line 256: $userid is not properly validated: the regular expression
at line 262 checks the existence of a number in $userid. Missing "^"
and "$"?
ERROR: ./users.php:@main: _POST#g["groupid"]
--------------------------------------------
Line 31: $groupid is not validated before being passed into the query
string at line 72.
ERROR: ./users.php:@main: _POST#g["userid"]
-------------------------------------------
Line 29: $userid is not validated before being passed into the query
string at line 54.
======
e107
======
ERROR: ./signup.php:@main: _POST#g["email"]
-------------------------------------------
Line 256: malformed $_POST['email'] may cause SQL injection.
ERROR: ./signup.php:@main: _POST#g["hideemail"]
-----------------------------------------------
Line 336: malformed $_POST['hideemail'] may cause SQL injection.
ERROR: ./signup.php:@main: _POST#g["image"]
-------------------------------------------
Line 336: malformed $_POST['image'] may cause SQL injection.
ERROR: ./signup.php:@main: _POST#g["realname"]
----------------------------------------------
Line 336: Similar as above.
ERROR: ./signup.php:@main: _POST#g["signature"]
-----------------------------------------------
Line 336: Similar as above.
ERROR: ./signup.php:@main: _POST#g["timezone"]
----------------------------------------------
Line 336: Similar as above.
ERROR: ./signup.php:@main: _POST#g["xupexist"]
----------------------------------------------
Line 336: Similar as above.
ERROR: ./subcontent.php:@main: _POST#g["content_comment"]
ERROR: ./subcontent.php:@main: _POST#g["content_rating"]
ERROR: ./subcontent.php:@main: _POST#g["content_summary"]
---------------------------------------------------------
Line 119: Similar as above
ERROR: ./upload.php:@main: _POST#g["download_category"]
ERROR: ./upload.php:@main: _POST#g["file_demo"]
-------------------------------------------------------
Line 59
ERROR: ./usersettings.php:@main: _POST#g["email"]
-------------------------------------------------
Line 201: validity check of _POST["email"] does not prevent SQL
injection into query string at Line 205.
ERROR: ./usersettings.php:@main: _POST#g["hideemail"]
-----------------------------------------------------
Use of non-validated input _POST["hideemail"] at line 276.
ERROR: ./usersettings.php:@main: _POST#g["user_timezone"]
---------------------------------------------------------
Same as above.
ERROR: ./usersettings.php:@main: _POST#g["user_xup"]
----------------------------------------------------
Same as above.
===========
myBloggie
===========
16 potentially expoloitable vulnerabilities
ERROR: ./login.php:@main: _POST#g["username"]
---------------------------------------------
Def: Line 41; Use: line 65 (fixed by the recent patch)
ERROR: ./add.php:@main: _POST#g["category"]
-------------------------------------------
$cat_id defined at line 203 may cause SQL injection in query string at
line 268.
ERROR: ./addcat.php:@main: _POST#g["cat_desc"]
----------------------------------------------
$cat_desc defined at line 73, and passed into SQL query at line 79.
ERROR: ./adduser.php:@main: _POST#g["level"]
--------------------------------------------
$level defined at line 48, and passed into SQL query at line 74.
ERROR: ./adduser.php:@main: _POST#g["user"]
-------------------------------------------
$user defined at line 46, and used in query string at line 50.
ERROR: ./del.php:@main: _GET#g["post_id"]
-----------------------------------------
Def: line 35; Use: line 44
ERROR: ./delcat.php:@main: _GET#g["cat_id"]
-------------------------------------------
Def: line 44; Use: line 52
ERROR: ./delcomment.php:@main: HTTP_GET_VARS#g["comment_id"]
------------------------------------------------------------
Line 35: inappropriate validation with "intval"
ERROR: ./deluser.php:@main: _GET#g["id"]
----------------------------------------
Def: line 45; Use: line 53
ERROR: ./edit.php:@main: _GET#g["post_id"]
------------------------------------------
Def: line 31; Use: line 43, 45
ERROR: ./edit.php:@main: _POST#g["category"]
--------------------------------------------
Def: line 195; Use: line 228
ERROR: ./editcat.php:@main: _GET#g["cat_id"]
--------------------------------------------
Def: line 64; Use: line 66
ERROR: ./editcat.php:@main: _POST#g["cat_desc"]
-----------------------------------------------
Def: line 83; Use: line 84
ERROR: ./edituser.php:@main: _GET#g["id"]
-----------------------------------------
Def: line 47; Use: line 50
ERROR: ./edituser.php:@main: _POST#g["level"]
---------------------------------------------
Def: line 94; Use: line 97, 103
ERROR: ./edituser.php:@main: _POST#g["user"]
--------------------------------------------
Def: line 71; Use: line 97, 103
===============
PHP Webthings
===============
20 potentially exploitable SQL injection vulnerabilities
ERROR: ./download.php:@main: _GET#g["ref"]
------------------------------------------
bug in function draw_download_categories (used in download.php),
defined in modules/downloads/functions.php. $ref1 holds user input
$_GET["ref"] (line 33) and used in query on line 41.
ERROR: ./forum.php:@main: _GET#g["direction"]
---------------------------------------------
bug occurs in function draw_fs_small (used in forum.php, line 231)
defined in modules/downloads/functions.php. $direction holds
user input $_GET['direction'] and is subsequently used in construction
of SQL queries.
ERROR: ./forum.php:@main: _POST#g["direction"]
----------------------------------------------
same as above.
ERROR: ./forum.php:@main: _GET#g["forum"]
-----------------------------------------
Line 22 in forum.php.
ERROR: ./forum.php:@main: _GET#g["msg"]
---------------------------------------
forum.php: Line 58.
ERROR: ./forum.php:@main: _GET#g["sforum"]
------------------------------------------
bug occurs in function draw_fs_form (used in forum.php, line 186)
defined in modules/downloads/functions.php. $forumcod is defined using
$_GET["sforum"], and subsequently used in construction of SQL queries.
ERROR: ./forum.php:@main: _POST#g["sforum"]
-------------------------------------------
same as above
ERROR: ./forum.php:@main: _POST#g["reason"]
-------------------------------------------
modules/forum/movetopic.php: defined on line 74 and 80, used on line
90
ERROR: ./forum.php:@main: _REQUEST#g["forum"]
---------------------------------------------
defined: forum.php: line 124.
used: modules/forum/split.php: line 2
ERROR: ./forum.php:@main: _REQUEST#g["msg"]
-------------------------------------------
defined: forum.php: line 122.
used: modules/forum/split.php: line 2
ERROR: ./forum.php:@main: _REQUEST#g["subname"]
-----------------------------------------------
defined: line 135, used line 139
ERROR: ./forum.php:@main: _REQUEST#g["toforum"]
-----------------------------------------------
defined: forum.php: line 110
used: modules/forum/movetopic.php: line 62
ERROR: ./forum_edit.php:@main: _GET#g["msg"]
--------------------------------------------
line 25
ERROR: ./forum_edit.php:@main: _GET#g["forum"]
----------------------------------------------
line 25
ERROR: ./forum_write.php:@main: _GET#g["forum"]
-----------------------------------------------
invokes forum_edit.php, same as above.
ERROR: ./forum_write.php:@main: _GET#g["msg"]
---------------------------------------------
invokes forum_edit.php, same as above.
ERROR: ./forum_write.php:@main: _POST#g["msg"]
----------------------------------------------
modules/forum/write.php: def: line 85, use line 88
ERROR: ./guestbook.php:@main: _POST#g["tekst"]
----------------------------------------------
modules/guestbook/functions.php: def:line 202, use: line 203
ERROR: ./index.php:@main: _REQUEST#g["menuoption"]
--------------------------------------------------
def: index.php: line 7
use: core/theme.php: line 148
ERROR: ./myaccount.php:@main: _POST#g["sel_avatar"]
---------------------------------------------------
def: line 186
use: line 195
============
DCP Portal
============
ERROR: ./advertiser.php:@main: _POST#g["password"]
--------------------------------------------------
Line 50
ERROR: ./advertiser.php:@main: _POST#g["username"]
--------------------------------------------------
Line 50
ERROR: ./annoucement.php:@main: _GET#g["aid"]
---------------------------------------------
Line 13
ERROR: ./calendar.php:@main: _COOKIE#g["dcp5_member_id"]
--------------------------------------------------------
Def: line 23. Use: line 65-66
ERROR: ./calendar.php:@main: _POST#g["year"]
--------------------------------------------
Def: line 38. Use: line 65-66
ERROR: ./calendar.php:@main: _REQUEST#g["agid"]
-----------------------------------------------
Line 215-216
ERROR: ./calendar.php:@main: _REQUEST#g["day"]
----------------------------------------------
Def: line 38. Use: line 65-66
ERROR: ./calendar.php:@main: _REQUEST#g["day_s"]
------------------------------------------------
Line 209-210
ERROR: ./calendar.php:@main: _REQUEST#g["hour"]
-----------------------------------------------
Line 209-210
ERROR: ./calendar.php:@main: _REQUEST#g["minute"]
-------------------------------------------------
Line 209-210
ERROR: ./calendar.php:@main: _REQUEST#g["month"]
------------------------------------------------
Def: line 41. Use: line 65-66
ERROR: ./calendar.php:@main: _REQUEST#g["month_s"]
--------------------------------------------------
Line 209-210
ERROR: ./calendar.php:@main: _REQUEST#g["year"]
-----------------------------------------------
Def: line 41. Use: line 65-66
ERROR: ./calendar.php:@main: _REQUEST#g["year_s"]
-------------------------------------------------
Line 209-210
ERROR: ./contents.php:@main: _GET#g["cid"]
------------------------------------------
Line 15
ERROR: ./forums.php:@main: _COOKIE#g["dcp5_member_id"]
------------------------------------------------------
Line 93, UserValid uses _COOKIE#g["dcp5_member_id"] in query.
ERROR: ./forums.php:@main: _GET#g["bid"]
----------------------------------------
Line 87
ERROR: ./forums.php:@main: _GET#g["mid"]
----------------------------------------
Line 161
ERROR: ./forums.php:@main: _POST#g["mid"]
-----------------------------------------
Line 221
ERROR: ./go.php:@main: _GET#g["bid"]
------------------------------------
Line 9
ERROR: ./golink.php:@main: _GET#g["lid"]
----------------------------------------
Line 9
ERROR: ./inbox.php:@main: _COOKIE#g["dcp5_member_id"]
-----------------------------------------------------
Line 9, UserValid uses _COOKIE#g["dcp5_member_id"] in query.
ERROR: ./inbox.php:@main: _GET#g["mid"]
---------------------------------------
Line 239
ERROR: ./index.php:@main: _GET#g["catid"]
-----------------------------------------
Line 234
ERROR: ./index.php:@main: _GET#g["cid"]
---------------------------------------
Line 60
ERROR: ./index.php:@main: _GET#g["dcat"]
----------------------------------------
Line 306
ERROR: ./index.php:@main: _GET#g["dl"]
--------------------------------------
Line 370
ERROR: ./index.php:@main: _GET#g["doc"]
---------------------------------------
Line 328
ERROR: ./index.php:@main: _GET#g["lcat"]
----------------------------------------
Line 252
ERROR: ./index.php:@main: _GET#g["uid"]
---------------------------------------
Line 538
ERROR: ./informer.php:@main: _COOKIE#g["dcp5_member_id"]
--------------------------------------------------------
Line 9, UserValid
ERROR: ./lostpassword.php:@main: _POST#g["email"]
-------------------------------------------------
Line 91
ERROR: ./mycontents.php:@main: _COOKIE#g["dcp5_member_id"]
----------------------------------------------------------
Line 9, UserValid
ERROR: ./news.php:@main: _GET#g["nid"]
--------------------------------------
Line 13
ERROR: ./rate.php:@main: _GET#g["cid"]
--------------------------------------
Line 9
ERROR: ./rate.php:@main: _GET#g["type"]
---------------------------------------
Line 17
ERROR: ./rate.php:@main: _POST#g["rate"]
----------------------------------------
Line 17
ERROR: ./search.php:@main: _POST#g["q"]
---------------------------------------
Line 20, 28, 36...
ERROR: ./update.php:@main: _COOKIE#g["dcp5_member_id"]
------------------------------------------------------
Line 9