XOOPS Object-Oriented Web Portal Software Lets Remote Users Inject SQL Commands that Will Be Executed By the Underlying SQL Database
|
Date: Jan 27 2002
|
Impact: Disclosure of system information, Execution of arbitrary code via network
|
Advisory: iSecureLabs
|
Version(s): RC1
|
Description: iSecureLabs.com reported a security vulnerability in the XOOPS portal script. A remote user can inject SQL queries that will be executed by the underlying MySQL database.
It is reported that the userinfo.php script does not filter out special meta-characters. A remote user can reportedly cause the
server to crash with the following type of URL, yielding some potentially sensitive information:
http://xoops-site/userinfo.php?uid=1;
When it crashes, the server returns the following type of error report:
-snip-
MySQL Query Error: SELECT u.*, s.* FROM x_users
u, x_users_status s
WHERE u.uid=1;
AND u.uid=s.uid
Error number:1064
Error message: You have an error in your SQL syntax near
'; AND
u.uid=s.uid' at line 1
ERROR
-snip-
It is reported that a remote user can use this information to create a URL that
will cause the server to execute arbitrary user-supplied SQL commands.
The vendor has reportedly been notified.
|
Impact: A remote user can execute SQL commands on the underlying SQL server.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: xoops.sourceforge.net/modules/news/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Cabezon Aurelien <aurelien.cabezon@iSecureLabs.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 27 Jan 2002 13:56:18 -0500
From: Cabezon Aurelien <aurelien.cabezon@iSecureLabs.com>
Subject: Xoops SQL fragment disclosure and SQL injection vulnerability
|
Xoops SQL fragment disclosure and SQL injection vulnerability ()
Posté le Dimanche, janvier 27 @ 16:45:38 CET par acz
XOOPS is an open source portal script written extensively in
object-oriented PHP. Backed with MySQL Database.
There are 2 security issues :
- Xoops disclose SQL query.
- Xoops allow remote user to SQL query injection.
-- [ Xoops SQL fragment disclose and SQL injection vulnerability ] --
Discovered on 27/01/2002
Vendor: http://xoops.sourceforge.net
-- [ Overview ] --
XOOPS is an open source portal script written extensively in
object-oriented PHP. Backed
with MySQL Database.
There is 2 security issues :
- Xoops disclose SQL query.
- Xoops allow remote user to SQL query injection.
-- [ Description ] --
The userinfo.php script does not check for special meta-characters.
It is possible to make it crash using this kind of query :
http://xoops-site/userinfo.php?uid=1;
then it gives you this error report :
-snip-
MySQL Query Error: SELECT u.*, s.* FROM x_users u, x_users_status s
WHERE u.uid=1;
AND u.uid=s.uid
Error number:1064
Error message: You have an error in your SQL syntax near '; AND
u.uid=s.uid' at line 1
ERROR
-snip-
It dicloses many informations that help to SQL injection attack...
More about SQL injection
http://www.owasp.org/projects/asac/iv-sqlinjection.shtml
No exploit is given, but it was successfully tested.
Xoops team has been alerted.
-- [ Tested Version ] --
Xoops RC1
-- [ Discovered by ] --
Cabezon Aurelien | aurelien.cabezon@iSecureLabs.com
http://www.iSecureLabs.com | French Security portal
|
|
