<<< Date Index >>>     <<< Thread Index >>>

Re: [PHP-CHECKER] 99 potential SQL injection vulnerabilities



Excuse my ignorance, or currently tired state, but where is the actual
tool located?  I can find the paper OK.

Thanks.

--A

On 11 Dec 2005 21:17:25 -0000, php-checker@xxxxxxxxxxxxxxxxxx
<php-checker@xxxxxxxxxxxxxxxxxx> wrote:
> Hi, we are a group of Stanford researchers and we have recently
> developed an automated tool for detecting injection vulnerabilities in
> PHP. We ran our tool on the following list of software and found 99
> potential security vulnerabilites (inspected bug reports attached
> below):
>
>          e107 -- v0.7
>          myBloggie -- v2.1.3beta
>          utopia NewPro -- v1.1.4
>          DCP Portal -- v6.1.1
>          PHP Webthings -- v1.4 patched
>
> The tool detects unsanitized user input that subsequently flow into
> SQL queries. With slight modifications, it can also find potential XSS
> vulnerabilities by inspecting strings echo'ed back as HTML output.
>
> Most of which seem remotely exploitable, and we have notified vendors
> of confirmed exploits. We decided not to publish exploits for the
> interest of web sites that have deployed such software.
>
> More detailed information, including proof of concept exploits (vendor
> notified, and since patched), about the tool can be obtained from the
> links below.
>
> We'll appreciate any comments and feedbacks regarding the tool and the
> results.
>
> Thanks,
> Yichen Xie
>
> For more information:
>
> http://glide.stanford.edu/yichen/research/sec.ps
> http://glide.stanford.edu/yichen/research/sec.pdf
>
> ==========
> PHP-fusion
> ==========
>
> ==============
> Utopia NewsPro
> ==============
>
> 8 potentially exploitable vulnerabilities
>
> ERROR: ./editnews.php:@main: _POST#g["newsid"]
> ----------------------------------------------
> This error occurs at lines 24-25 in editnews.php. User input
> _POST["newsid"] may directly flow into the SQL query below, resulting
> in a potentially exploitable SQL injection vulnerability.
>
> ERROR: ./faq.php:@main: _GET#g["catid"]
> ---------------------------------------
> This error occurs at lines 61-62 in faq.php. We believe user input
> _GET["catid"] is improperly checked in the following line: the regular
> expression seem to only check the existence of a number. It is
> probably missing "^" and "$" that ensures "catid" _is_ a number.
>
> ERROR: ./faq.php:@main: _GET#g["question"]
> ------------------------------------------
> Lines 107-108 in faq.php. Similar as above.
>
> ERROR: ./postnews.php:@main: _POST#g["poster"]
> ----------------------------------------------
> Line 28: $newsposter is not validated before being passed into the
> query string at line 42.
>
> ERROR: ./templates.php:@main: _POST#g["tempid"]
> -----------------------------------------------
> Line 33: $tempid is not validated before being passed into the query
> string at line 40.
>
> ERROR: ./users.php:@main: _GET#g["userid"]
> ------------------------------------------
> Line 256: $userid is not properly validated: the regular expression
> at line 262 checks the existence of a number in $userid. Missing "^"
> and "$"?
>
> ERROR: ./users.php:@main: _POST#g["groupid"]
> --------------------------------------------
> Line 31: $groupid is not validated before being passed into the query
> string at line 72.
>
> ERROR: ./users.php:@main: _POST#g["userid"]
> -------------------------------------------
> Line 29: $userid is not validated before being passed into the query
> string at line 54.
>
> ======
>  e107
> ======
>
> ERROR: ./signup.php:@main: _POST#g["email"]
> -------------------------------------------
> Line 256: malformed $_POST['email'] may cause SQL injection.
>
> ERROR: ./signup.php:@main: _POST#g["hideemail"]
> -----------------------------------------------
> Line 336: malformed $_POST['hideemail'] may cause SQL injection.
>
> ERROR: ./signup.php:@main: _POST#g["image"]
> -------------------------------------------
> Line 336: malformed $_POST['image'] may cause SQL injection.
>
> ERROR: ./signup.php:@main: _POST#g["realname"]
> ----------------------------------------------
> Line 336: Similar as above.
>
> ERROR: ./signup.php:@main: _POST#g["signature"]
> -----------------------------------------------
> Line 336: Similar as above.
>
> ERROR: ./signup.php:@main: _POST#g["timezone"]
> ----------------------------------------------
> Line 336: Similar as above.
>
> ERROR: ./signup.php:@main: _POST#g["xupexist"]
> ----------------------------------------------
> Line 336: Similar as above.
>
> ERROR: ./subcontent.php:@main: _POST#g["content_comment"]
> ERROR: ./subcontent.php:@main: _POST#g["content_rating"]
> ERROR: ./subcontent.php:@main: _POST#g["content_summary"]
> ---------------------------------------------------------
> Line 119: Similar as above
>
> ERROR: ./upload.php:@main: _POST#g["download_category"]
> ERROR: ./upload.php:@main: _POST#g["file_demo"]
> -------------------------------------------------------
> Line 59
>
> ERROR: ./usersettings.php:@main: _POST#g["email"]
> -------------------------------------------------
> Line 201: validity check of _POST["email"] does not prevent SQL
> injection into query string at Line 205.
>
> ERROR: ./usersettings.php:@main: _POST#g["hideemail"]
> -----------------------------------------------------
> Use of non-validated input _POST["hideemail"] at line 276.
>
> ERROR: ./usersettings.php:@main: _POST#g["user_timezone"]
> ---------------------------------------------------------
> Same as above.
>
> ERROR: ./usersettings.php:@main: _POST#g["user_xup"]
> ----------------------------------------------------
> Same as above.
>
> ===========
>  myBloggie
> ===========
>
> 16 potentially expoloitable vulnerabilities
>
> ERROR: ./login.php:@main: _POST#g["username"]
> ---------------------------------------------
> Def: Line 41; Use: line 65 (fixed by the recent patch)
>
> ERROR: ./add.php:@main: _POST#g["category"]
> -------------------------------------------
> $cat_id defined at line 203 may cause SQL injection in query string at
> line 268.
>
> ERROR: ./addcat.php:@main: _POST#g["cat_desc"]
> ----------------------------------------------
> $cat_desc defined at line 73, and passed into SQL query at line 79.
>
> ERROR: ./adduser.php:@main: _POST#g["level"]
> --------------------------------------------
> $level defined at line 48, and passed into SQL query at line 74.
>
> ERROR: ./adduser.php:@main: _POST#g["user"]
> -------------------------------------------
> $user defined at line 46, and used in query string at line 50.
>
> ERROR: ./del.php:@main: _GET#g["post_id"]
> -----------------------------------------
> Def: line 35; Use: line 44
>
> ERROR: ./delcat.php:@main: _GET#g["cat_id"]
> -------------------------------------------
> Def: line 44; Use: line 52
>
> ERROR: ./delcomment.php:@main: HTTP_GET_VARS#g["comment_id"]
> ------------------------------------------------------------
> Line 35: inappropriate validation with "intval"
>
> ERROR: ./deluser.php:@main: _GET#g["id"]
> ----------------------------------------
> Def: line 45; Use: line 53
>
> ERROR: ./edit.php:@main: _GET#g["post_id"]
> ------------------------------------------
> Def: line 31; Use: line 43, 45
>
> ERROR: ./edit.php:@main: _POST#g["category"]
> --------------------------------------------
> Def: line 195; Use: line 228
>
> ERROR: ./editcat.php:@main: _GET#g["cat_id"]
> --------------------------------------------
> Def: line 64; Use: line 66
>
> ERROR: ./editcat.php:@main: _POST#g["cat_desc"]
> -----------------------------------------------
> Def: line 83; Use: line 84
>
> ERROR: ./edituser.php:@main: _GET#g["id"]
> -----------------------------------------
> Def: line 47; Use: line 50
>
> ERROR: ./edituser.php:@main: _POST#g["level"]
> ---------------------------------------------
> Def: line 94; Use: line 97, 103
>
> ERROR: ./edituser.php:@main: _POST#g["user"]
> --------------------------------------------
> Def: line 71; Use: line 97, 103
>
> ===============
>  PHP Webthings
> ===============
>
> 20 potentially exploitable SQL injection vulnerabilities
>
> ERROR: ./download.php:@main: _GET#g["ref"]
> ------------------------------------------
> bug in function draw_download_categories (used in download.php),
> defined in modules/downloads/functions.php. $ref1 holds user input
> $_GET["ref"] (line 33) and used in query on line 41.
>
> ERROR: ./forum.php:@main: _GET#g["direction"]
> ---------------------------------------------
> bug occurs in function draw_fs_small (used in forum.php, line 231)
> defined in modules/downloads/functions.php. $direction holds
> user input $_GET['direction'] and is subsequently used in construction
> of SQL queries.
>
> ERROR: ./forum.php:@main: _POST#g["direction"]
> ----------------------------------------------
> same as above.
>
> ERROR: ./forum.php:@main: _GET#g["forum"]
> -----------------------------------------
> Line 22 in forum.php.
>
> ERROR: ./forum.php:@main: _GET#g["msg"]
> ---------------------------------------
> forum.php: Line 58.
>
> ERROR: ./forum.php:@main: _GET#g["sforum"]
> ------------------------------------------
> bug occurs in function draw_fs_form (used in forum.php, line 186)
> defined in modules/downloads/functions.php. $forumcod is defined using
> $_GET["sforum"], and subsequently used in construction of SQL queries.
>
> ERROR: ./forum.php:@main: _POST#g["sforum"]
> -------------------------------------------
> same as above
>
> ERROR: ./forum.php:@main: _POST#g["reason"]
> -------------------------------------------
> modules/forum/movetopic.php: defined on line 74 and 80, used on line
> 90
>
> ERROR: ./forum.php:@main: _REQUEST#g["forum"]
> ---------------------------------------------
> defined: forum.php: line 124.
> used: modules/forum/split.php: line 2
>
> ERROR: ./forum.php:@main: _REQUEST#g["msg"]
> -------------------------------------------
> defined: forum.php: line 122.
> used: modules/forum/split.php: line 2
>
> ERROR: ./forum.php:@main: _REQUEST#g["subname"]
> -----------------------------------------------
> defined: line 135, used line 139
>
> ERROR: ./forum.php:@main: _REQUEST#g["toforum"]
> -----------------------------------------------
> defined: forum.php: line 110
> used: modules/forum/movetopic.php: line 62
>
> ERROR: ./forum_edit.php:@main: _GET#g["msg"]
> --------------------------------------------
> line 25
>
> ERROR: ./forum_edit.php:@main: _GET#g["forum"]
> ----------------------------------------------
> line 25
>
> ERROR: ./forum_write.php:@main: _GET#g["forum"]
> -----------------------------------------------
> invokes forum_edit.php, same as above.
>
> ERROR: ./forum_write.php:@main: _GET#g["msg"]
> ---------------------------------------------
> invokes forum_edit.php, same as above.
>
> ERROR: ./forum_write.php:@main: _POST#g["msg"]
> ----------------------------------------------
> modules/forum/write.php: def: line 85, use line 88
>
> ERROR: ./guestbook.php:@main: _POST#g["tekst"]
> ----------------------------------------------
> modules/guestbook/functions.php: def:line 202, use: line 203
>
> ERROR: ./index.php:@main: _REQUEST#g["menuoption"]
> --------------------------------------------------
> def: index.php: line 7
> use: core/theme.php: line 148
>
> ERROR: ./myaccount.php:@main: _POST#g["sel_avatar"]
> ---------------------------------------------------
> def: line 186
> use: line 195
>
> ============
>  DCP Portal
> ============
> ERROR: ./advertiser.php:@main: _POST#g["password"]
> --------------------------------------------------
> Line 50
>
> ERROR: ./advertiser.php:@main: _POST#g["username"]
> --------------------------------------------------
> Line 50
>
> ERROR: ./annoucement.php:@main: _GET#g["aid"]
> ---------------------------------------------
> Line 13
>
> ERROR: ./calendar.php:@main: _COOKIE#g["dcp5_member_id"]
> --------------------------------------------------------
> Def: line 23. Use: line 65-66
>
> ERROR: ./calendar.php:@main: _POST#g["year"]
> --------------------------------------------
> Def: line 38. Use: line 65-66
>
> ERROR: ./calendar.php:@main: _REQUEST#g["agid"]
> -----------------------------------------------
> Line 215-216
>
> ERROR: ./calendar.php:@main: _REQUEST#g["day"]
> ----------------------------------------------
> Def: line 38. Use: line 65-66
>
> ERROR: ./calendar.php:@main: _REQUEST#g["day_s"]
> ------------------------------------------------
> Line 209-210
>
> ERROR: ./calendar.php:@main: _REQUEST#g["hour"]
> -----------------------------------------------
> Line 209-210
>
> ERROR: ./calendar.php:@main: _REQUEST#g["minute"]
> -------------------------------------------------
> Line 209-210
>
> ERROR: ./calendar.php:@main: _REQUEST#g["month"]
> ------------------------------------------------
> Def: line 41. Use: line 65-66
>
> ERROR: ./calendar.php:@main: _REQUEST#g["month_s"]
> --------------------------------------------------
> Line 209-210
>
> ERROR: ./calendar.php:@main: _REQUEST#g["year"]
> -----------------------------------------------
> Def: line 41. Use: line 65-66
>
> ERROR: ./calendar.php:@main: _REQUEST#g["year_s"]
> -------------------------------------------------
> Line 209-210
>
> ERROR: ./contents.php:@main: _GET#g["cid"]
> ------------------------------------------
> Line 15
>
> ERROR: ./forums.php:@main: _COOKIE#g["dcp5_member_id"]
> ------------------------------------------------------
> Line 93, UserValid uses _COOKIE#g["dcp5_member_id"] in query.
>
> ERROR: ./forums.php:@main: _GET#g["bid"]
> ----------------------------------------
> Line 87
>
> ERROR: ./forums.php:@main: _GET#g["mid"]
> ----------------------------------------
> Line 161
>
> ERROR: ./forums.php:@main: _POST#g["mid"]
> -----------------------------------------
> Line 221
>
> ERROR: ./go.php:@main: _GET#g["bid"]
> ------------------------------------
> Line 9
>
> ERROR: ./golink.php:@main: _GET#g["lid"]
> ----------------------------------------
> Line 9
>
> ERROR: ./inbox.php:@main: _COOKIE#g["dcp5_member_id"]
> -----------------------------------------------------
> Line 9, UserValid uses _COOKIE#g["dcp5_member_id"] in query.
>
> ERROR: ./inbox.php:@main: _GET#g["mid"]
> ---------------------------------------
> Line 239
>
> ERROR: ./index.php:@main: _GET#g["catid"]
> -----------------------------------------
> Line 234
>
> ERROR: ./index.php:@main: _GET#g["cid"]
> ---------------------------------------
> Line 60
>
> ERROR: ./index.php:@main: _GET#g["dcat"]
> ----------------------------------------
> Line 306
>
> ERROR: ./index.php:@main: _GET#g["dl"]
> --------------------------------------
> Line 370
>
> ERROR: ./index.php:@main: _GET#g["doc"]
> ---------------------------------------
> Line 328
>
> ERROR: ./index.php:@main: _GET#g["lcat"]
> ----------------------------------------
> Line 252
>
> ERROR: ./index.php:@main: _GET#g["uid"]
> ---------------------------------------
> Line 538
>
> ERROR: ./informer.php:@main: _COOKIE#g["dcp5_member_id"]
> --------------------------------------------------------
> Line 9, UserValid
>
> ERROR: ./lostpassword.php:@main: _POST#g["email"]
> -------------------------------------------------
> Line 91
>
> ERROR: ./mycontents.php:@main: _COOKIE#g["dcp5_member_id"]
> ----------------------------------------------------------
> Line 9, UserValid
>
> ERROR: ./news.php:@main: _GET#g["nid"]
> --------------------------------------
> Line 13
>
> ERROR: ./rate.php:@main: _GET#g["cid"]
> --------------------------------------
> Line 9
>
> ERROR: ./rate.php:@main: _GET#g["type"]
> ---------------------------------------
> Line 17
>
> ERROR: ./rate.php:@main: _POST#g["rate"]
> ----------------------------------------
> Line 17
>
> ERROR: ./search.php:@main: _POST#g["q"]
> ---------------------------------------
> Line 20, 28, 36...
>
> ERROR: ./update.php:@main: _COOKIE#g["dcp5_member_id"]
> ------------------------------------------------------
> Line 9
>