PHP pro bid v 6.04 SQL injection
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: PHP pro bid v 6.04 SQL injection
- From: "Jan van Niekerk" <jvnkrk@xxxxxxxxx>
- Date: Fri, 19 Sep 2008 11:14:40 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=KMKP4/SHZFy83KycPmiRbzQZqLDsroH/wCEKL5/L0a8=; b=ITErSPWhsTRVoBhg0Ml8uAQY6c0EwHZ5M7qcDDt8ZzQacb/STF4pGoGFUEbLYVvRvT 9GVLwYW4TQHlhtF4/BrUS2LjZyiTS9JNOWk52qVkRhixUcWNJSOPwE7ZyAY+nj0dM/zv pUT3nzrBxrcc39TH1d74UAw0E1iA/PHlZw5yA=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=AetQ1iHyQ+p+enLvzufifkT2jR80qCw8E8TWrpoFvEqOg2UNR32iat8e4JEvIY/4Gs 8AE+Do9RmYeqBKTH+pIrjDWdehzZF63NgKsz6as5QZSv+3zvJBSXJOeK7ctBlBugneF4 dgHt8kigfOG0BlofAGlOhKnAbNfsE3C8h/JR8=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Affected software: PHP pro bid v 6.04 (as at 2008-09-11)
Vendor description: The Leading Proffessional (sic) Auction Script
Software available online today written in PHP/ Mysql
Impact: SQL injection
Description:
categories.php and other pages of php pro bid accept user-supplied
order-by and ASC/DESC fields.
The software prints helpful messages too:
SQL Query: SELECT a.auction_id, a.name, a.start_price, a.max_bid,
a.nb_bids, a.currency, a.end_time, a.closed, a.bold, a.hl,
a.buyout_price, a.is_offer, a.reserve_price, a.owner_id FROM
probid_auctions a WHERE a.active=1 AND a.approved=1 AND a.closed=0 AND
a.deleted=0 AND a.list_in!='store' AND a.creation_in_progress=0 GROUP
BY a.auction_id ORDER BY (select 1)x LIMIT 0, 20
Leveraging an admin user name and password is left as an exercise to the reader.
Demo:
http://example.com/phpprobidlocation/categories.php?start=0&limit=20&parent_id=669&keywords_cat_search=&buyout_price=&reserve_price=&quantity=&enable_swap=&order_field=(select%201)x&order_type=%20
Solution:
- Don't let junior programmers add sort-by column features. The original
design was much nicer than the later hacks.
- If you fix a bug (for example, in search.php), take the trouble to
look for equivalent bugs in other pages. Did I mention that the bug
is on another page too? Not? Oh well.
Timeline:
- Posted this as a comment on the vendor contact-us web form last week.
- Sent this to bugtraq this week (yesterday)
- Bugtraq said post not exploits against live sites
- URL of vendor demo site duly censored, in the interests of full disclosure