<<< Date Index >>>     <<< Thread Index >>>

[PHP-CHECKER] 99 potential SQL injection vulnerabilities



Hi, we are a group of Stanford researchers and we have recently
developed an automated tool for detecting injection vulnerabilities in
PHP. We ran our tool on the following list of software and found 99
potential security vulnerabilites (inspected bug reports attached
below):

         e107 -- v0.7
         myBloggie -- v2.1.3beta
         utopia NewPro -- v1.1.4
         DCP Portal -- v6.1.1
         PHP Webthings -- v1.4 patched

The tool detects unsanitized user input that subsequently flow into
SQL queries. With slight modifications, it can also find potential XSS
vulnerabilities by inspecting strings echo'ed back as HTML output.

Most of which seem remotely exploitable, and we have notified vendors
of confirmed exploits. We decided not to publish exploits for the
interest of web sites that have deployed such software.

More detailed information, including proof of concept exploits (vendor
notified, and since patched), about the tool can be obtained from the
links below.

We'll appreciate any comments and feedbacks regarding the tool and the
results.

Thanks,
Yichen Xie

For more information:

http://glide.stanford.edu/yichen/research/sec.ps
http://glide.stanford.edu/yichen/research/sec.pdf

==========
PHP-fusion
==========

==============
Utopia NewsPro 
==============

8 potentially exploitable vulnerabilities

ERROR: ./editnews.php:@main: _POST#g["newsid"]
----------------------------------------------
This error occurs at lines 24-25 in editnews.php. User input
_POST["newsid"] may directly flow into the SQL query below, resulting
in a potentially exploitable SQL injection vulnerability.

ERROR: ./faq.php:@main: _GET#g["catid"]
---------------------------------------
This error occurs at lines 61-62 in faq.php. We believe user input
_GET["catid"] is improperly checked in the following line: the regular
expression seem to only check the existence of a number. It is
probably missing "^" and "$" that ensures "catid" _is_ a number.

ERROR: ./faq.php:@main: _GET#g["question"]
------------------------------------------
Lines 107-108 in faq.php. Similar as above.

ERROR: ./postnews.php:@main: _POST#g["poster"]
----------------------------------------------
Line 28: $newsposter is not validated before being passed into the
query string at line 42.

ERROR: ./templates.php:@main: _POST#g["tempid"]
-----------------------------------------------
Line 33: $tempid is not validated before being passed into the query
string at line 40.

ERROR: ./users.php:@main: _GET#g["userid"]
------------------------------------------
Line 256: $userid is not properly validated: the regular expression
at line 262 checks the existence of a number in $userid. Missing "^"
and "$"?

ERROR: ./users.php:@main: _POST#g["groupid"]
--------------------------------------------
Line 31: $groupid is not validated before being passed into the query
string at line 72.

ERROR: ./users.php:@main: _POST#g["userid"]
-------------------------------------------
Line 29: $userid is not validated before being passed into the query
string at line 54.

======
 e107
======

ERROR: ./signup.php:@main: _POST#g["email"]
-------------------------------------------
Line 256: malformed $_POST['email'] may cause SQL injection.

ERROR: ./signup.php:@main: _POST#g["hideemail"]
-----------------------------------------------
Line 336: malformed $_POST['hideemail'] may cause SQL injection.

ERROR: ./signup.php:@main: _POST#g["image"]
-------------------------------------------
Line 336: malformed $_POST['image'] may cause SQL injection.

ERROR: ./signup.php:@main: _POST#g["realname"]
----------------------------------------------
Line 336: Similar as above.

ERROR: ./signup.php:@main: _POST#g["signature"]
-----------------------------------------------
Line 336: Similar as above.

ERROR: ./signup.php:@main: _POST#g["timezone"]
----------------------------------------------
Line 336: Similar as above.

ERROR: ./signup.php:@main: _POST#g["xupexist"]
----------------------------------------------
Line 336: Similar as above.

ERROR: ./subcontent.php:@main: _POST#g["content_comment"]
ERROR: ./subcontent.php:@main: _POST#g["content_rating"]
ERROR: ./subcontent.php:@main: _POST#g["content_summary"]
---------------------------------------------------------
Line 119: Similar as above

ERROR: ./upload.php:@main: _POST#g["download_category"]
ERROR: ./upload.php:@main: _POST#g["file_demo"]
-------------------------------------------------------
Line 59

ERROR: ./usersettings.php:@main: _POST#g["email"]
-------------------------------------------------
Line 201: validity check of _POST["email"] does not prevent SQL
injection into query string at Line 205.

ERROR: ./usersettings.php:@main: _POST#g["hideemail"]
-----------------------------------------------------
Use of non-validated input _POST["hideemail"] at line 276.

ERROR: ./usersettings.php:@main: _POST#g["user_timezone"]
---------------------------------------------------------
Same as above.

ERROR: ./usersettings.php:@main: _POST#g["user_xup"]
----------------------------------------------------
Same as above.

===========
 myBloggie
===========

16 potentially expoloitable vulnerabilities

ERROR: ./login.php:@main: _POST#g["username"]
---------------------------------------------
Def: Line 41; Use: line 65 (fixed by the recent patch)

ERROR: ./add.php:@main: _POST#g["category"]
-------------------------------------------
$cat_id defined at line 203 may cause SQL injection in query string at
line 268.

ERROR: ./addcat.php:@main: _POST#g["cat_desc"]
----------------------------------------------
$cat_desc defined at line 73, and passed into SQL query at line 79.

ERROR: ./adduser.php:@main: _POST#g["level"]
--------------------------------------------
$level defined at line 48, and passed into SQL query at line 74.

ERROR: ./adduser.php:@main: _POST#g["user"]
-------------------------------------------
$user defined at line 46, and used in query string at line 50.

ERROR: ./del.php:@main: _GET#g["post_id"]
-----------------------------------------
Def: line 35; Use: line 44

ERROR: ./delcat.php:@main: _GET#g["cat_id"]
-------------------------------------------
Def: line 44; Use: line 52

ERROR: ./delcomment.php:@main: HTTP_GET_VARS#g["comment_id"]
------------------------------------------------------------
Line 35: inappropriate validation with "intval"

ERROR: ./deluser.php:@main: _GET#g["id"]
----------------------------------------
Def: line 45; Use: line 53

ERROR: ./edit.php:@main: _GET#g["post_id"]
------------------------------------------
Def: line 31; Use: line 43, 45

ERROR: ./edit.php:@main: _POST#g["category"]
--------------------------------------------
Def: line 195; Use: line 228

ERROR: ./editcat.php:@main: _GET#g["cat_id"]
--------------------------------------------
Def: line 64; Use: line 66

ERROR: ./editcat.php:@main: _POST#g["cat_desc"]
-----------------------------------------------
Def: line 83; Use: line 84

ERROR: ./edituser.php:@main: _GET#g["id"]
-----------------------------------------
Def: line 47; Use: line 50

ERROR: ./edituser.php:@main: _POST#g["level"]
---------------------------------------------
Def: line 94; Use: line 97, 103

ERROR: ./edituser.php:@main: _POST#g["user"]
--------------------------------------------
Def: line 71; Use: line 97, 103

===============
 PHP Webthings
===============

20 potentially exploitable SQL injection vulnerabilities

ERROR: ./download.php:@main: _GET#g["ref"]
------------------------------------------
bug in function draw_download_categories (used in download.php),
defined in modules/downloads/functions.php. $ref1 holds user input
$_GET["ref"] (line 33) and used in query on line 41.

ERROR: ./forum.php:@main: _GET#g["direction"]
---------------------------------------------
bug occurs in function draw_fs_small (used in forum.php, line 231)
defined in modules/downloads/functions.php. $direction holds
user input $_GET['direction'] and is subsequently used in construction
of SQL queries.

ERROR: ./forum.php:@main: _POST#g["direction"]
----------------------------------------------
same as above.

ERROR: ./forum.php:@main: _GET#g["forum"]
-----------------------------------------
Line 22 in forum.php.

ERROR: ./forum.php:@main: _GET#g["msg"]
---------------------------------------
forum.php: Line 58.

ERROR: ./forum.php:@main: _GET#g["sforum"]
------------------------------------------
bug occurs in function draw_fs_form (used in forum.php, line 186)
defined in modules/downloads/functions.php. $forumcod is defined using
$_GET["sforum"], and subsequently used in construction of SQL queries.

ERROR: ./forum.php:@main: _POST#g["sforum"]
-------------------------------------------
same as above

ERROR: ./forum.php:@main: _POST#g["reason"]
-------------------------------------------
modules/forum/movetopic.php: defined on line 74 and 80, used on line
90

ERROR: ./forum.php:@main: _REQUEST#g["forum"]
---------------------------------------------
defined: forum.php: line 124. 
used: modules/forum/split.php: line 2

ERROR: ./forum.php:@main: _REQUEST#g["msg"]
-------------------------------------------
defined: forum.php: line 122.
used: modules/forum/split.php: line 2

ERROR: ./forum.php:@main: _REQUEST#g["subname"]
-----------------------------------------------
defined: line 135, used line 139

ERROR: ./forum.php:@main: _REQUEST#g["toforum"]
-----------------------------------------------
defined: forum.php: line 110
used: modules/forum/movetopic.php: line 62

ERROR: ./forum_edit.php:@main: _GET#g["msg"]
--------------------------------------------
line 25

ERROR: ./forum_edit.php:@main: _GET#g["forum"]
----------------------------------------------
line 25

ERROR: ./forum_write.php:@main: _GET#g["forum"]
-----------------------------------------------
invokes forum_edit.php, same as above.

ERROR: ./forum_write.php:@main: _GET#g["msg"]
---------------------------------------------
invokes forum_edit.php, same as above.

ERROR: ./forum_write.php:@main: _POST#g["msg"]
----------------------------------------------
modules/forum/write.php: def: line 85, use line 88

ERROR: ./guestbook.php:@main: _POST#g["tekst"]
----------------------------------------------
modules/guestbook/functions.php: def:line 202, use: line 203

ERROR: ./index.php:@main: _REQUEST#g["menuoption"]
--------------------------------------------------
def: index.php: line 7
use: core/theme.php: line 148

ERROR: ./myaccount.php:@main: _POST#g["sel_avatar"]
---------------------------------------------------
def: line 186
use: line 195

============
 DCP Portal
============
ERROR: ./advertiser.php:@main: _POST#g["password"]
--------------------------------------------------
Line 50

ERROR: ./advertiser.php:@main: _POST#g["username"]
--------------------------------------------------
Line 50

ERROR: ./annoucement.php:@main: _GET#g["aid"]
---------------------------------------------
Line 13

ERROR: ./calendar.php:@main: _COOKIE#g["dcp5_member_id"]
--------------------------------------------------------
Def: line 23. Use: line 65-66

ERROR: ./calendar.php:@main: _POST#g["year"]
--------------------------------------------
Def: line 38. Use: line 65-66

ERROR: ./calendar.php:@main: _REQUEST#g["agid"]
-----------------------------------------------
Line 215-216

ERROR: ./calendar.php:@main: _REQUEST#g["day"]
----------------------------------------------
Def: line 38. Use: line 65-66

ERROR: ./calendar.php:@main: _REQUEST#g["day_s"]
------------------------------------------------
Line 209-210

ERROR: ./calendar.php:@main: _REQUEST#g["hour"]
-----------------------------------------------
Line 209-210

ERROR: ./calendar.php:@main: _REQUEST#g["minute"]
-------------------------------------------------
Line 209-210

ERROR: ./calendar.php:@main: _REQUEST#g["month"]
------------------------------------------------
Def: line 41. Use: line 65-66

ERROR: ./calendar.php:@main: _REQUEST#g["month_s"]
--------------------------------------------------
Line 209-210

ERROR: ./calendar.php:@main: _REQUEST#g["year"]
-----------------------------------------------
Def: line 41. Use: line 65-66

ERROR: ./calendar.php:@main: _REQUEST#g["year_s"]
-------------------------------------------------
Line 209-210

ERROR: ./contents.php:@main: _GET#g["cid"]
------------------------------------------
Line 15

ERROR: ./forums.php:@main: _COOKIE#g["dcp5_member_id"]
------------------------------------------------------
Line 93, UserValid uses _COOKIE#g["dcp5_member_id"] in query.

ERROR: ./forums.php:@main: _GET#g["bid"]
----------------------------------------
Line 87

ERROR: ./forums.php:@main: _GET#g["mid"]
----------------------------------------
Line 161

ERROR: ./forums.php:@main: _POST#g["mid"]
-----------------------------------------
Line 221

ERROR: ./go.php:@main: _GET#g["bid"]
------------------------------------
Line 9

ERROR: ./golink.php:@main: _GET#g["lid"]
----------------------------------------
Line 9

ERROR: ./inbox.php:@main: _COOKIE#g["dcp5_member_id"]
-----------------------------------------------------
Line 9, UserValid uses _COOKIE#g["dcp5_member_id"] in query.

ERROR: ./inbox.php:@main: _GET#g["mid"]
---------------------------------------
Line 239

ERROR: ./index.php:@main: _GET#g["catid"]
-----------------------------------------
Line 234

ERROR: ./index.php:@main: _GET#g["cid"]
---------------------------------------
Line 60

ERROR: ./index.php:@main: _GET#g["dcat"]
----------------------------------------
Line 306

ERROR: ./index.php:@main: _GET#g["dl"]
--------------------------------------
Line 370

ERROR: ./index.php:@main: _GET#g["doc"]
---------------------------------------
Line 328

ERROR: ./index.php:@main: _GET#g["lcat"]
----------------------------------------
Line 252

ERROR: ./index.php:@main: _GET#g["uid"]
---------------------------------------
Line 538

ERROR: ./informer.php:@main: _COOKIE#g["dcp5_member_id"]
--------------------------------------------------------
Line 9, UserValid

ERROR: ./lostpassword.php:@main: _POST#g["email"]
-------------------------------------------------
Line 91

ERROR: ./mycontents.php:@main: _COOKIE#g["dcp5_member_id"]
----------------------------------------------------------
Line 9, UserValid

ERROR: ./news.php:@main: _GET#g["nid"]
--------------------------------------
Line 13

ERROR: ./rate.php:@main: _GET#g["cid"]
--------------------------------------
Line 9

ERROR: ./rate.php:@main: _GET#g["type"]
---------------------------------------
Line 17

ERROR: ./rate.php:@main: _POST#g["rate"]
----------------------------------------
Line 17

ERROR: ./search.php:@main: _POST#g["q"]
---------------------------------------
Line 20, 28, 36...

ERROR: ./update.php:@main: _COOKIE#g["dcp5_member_id"]
------------------------------------------------------
Line 9