Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
XOOPS WebChat Module Input Validation Flaw Lets Remote Users Inject and Execute SQL Commands on the Underlying Database Server
|
|
SecurityTracker Alert ID: 1005630 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 14 2002
|
Impact: Execution of arbitrary code via network
|
Exploit Included: Yes
|
Version(s): RC3
|
Description: An input validation vulnerability was reported in the XOOPS WebChat Module. A remote user can execute SQL commands on the database server.
It is reported that the software processes user-supplied input for the '$roomid' variable without properly filtering the input.
A remote user can create a specially crafted value for that variable to execute SQL commands on the underlying SQL server.
|
Impact: A remote user can execute arbitrary SQL commands on the underlying SQL database server.
|
Solution: No solution was available at the time of this entry.
The author of the report has provided an unofficial patch, available in the Source Message and at:
http://www.phpsecure.org/tutos/webchat.1-5.xoops.rc3.sql.injection.txt
|
Vendor URL: www.xoops.org/modules/news/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: vALDEUx@aol.com
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 12 Nov 2002 05:55:49 -0500
From: vALDEUx@aol.com
Subject: WebChat for XOOPS RC3 SQL INJECTION
|
Text available at http://www.phpsecure.org/tutos/webchat.1-5.xoops.rc3.sql.injection.txt
Patch available on phpsecure.org
XOOPS RC3 WebChat Module SQL Injection
Tested with : Xoops RC3
WebChat 1-5
Author : val2 - phpsecure.org for more info and ~patchs~
Lines 291-299 from modules/WebChat/index.php :
if(isset($roomid)) {
if($xoopsUser) {
$wcusername = $xoopsUser->getVar("uname", "E");
$uid = $xoopsUser->getVar("uid", "E");
}
join_room($roomid,$pass,$wcusername,$uid); /* <- calling joinroom function with param $roomi
d */
} else {
disp_index($errmsg);
}
Lines 204-208 :
function join_room($roomid,$pass,$username,$uid) {
global $xoopsDB, $xoopsUser, $xoopsConfig, $ModName, $user, $sitename, $pnconfig, $language, $u
sertime;
unset($errmsg);
$sql = "SELECT rid, name, typ, pass, descript FROM ".$xoopsDB->prefix("chatro
om")." WHERE rid = $roomid";
$row = mysql_fetch_array(mysql_query($sql));
[...]
PROBLEM :
$roomid id is included whitout verification.
PATCH :
add this line a the beginning of index.php or download PATCH from phpsecure.org :
$roomid = addslashes($roomid);
If you're paranoiac, shutdown your box and wait for an official release ;)
EXPLOIT :
You're a PHP/SQL g00r00, you don't need an exploit :p
MORE PATCHS !
www.phpsecure.org
MORE HOLES !
www.phpsecure.org
|
|
Go to the Top of This SecurityTracker Archive Page
|
