SecurityTracker: XOOPS WebChat Module Input Validation Flaw Lets Remote Users Inject and Execute SQL Commands on the Underlying Database Server

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Instant Messaging/IRC/Chat) > XOOPS

Vendors: Xoops.sourceforge.net

XOOPS WebChat Module Input Validation Flaw Lets Remote Users Inject and Execute SQL Commands on the Underlying Database Server

SecurityTracker Alert ID: 1005630

SecurityTracker URL: http://securitytracker.com/id/1005630

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Nov 14 2002

Impact: Execution of arbitrary code via network

Exploit Included: Yes

Version(s): RC3

Description: An input validation vulnerability was reported in the XOOPS WebChat Module. A remote user can execute SQL commands on the database server.

It is reported that the software processes user-supplied input for the '$roomid' variable without properly filtering the input. A remote user can create a specially crafted value for that variable to execute SQL commands on the underlying SQL server.

Impact: A remote user can execute arbitrary SQL commands on the underlying SQL database server.

Solution: No solution was available at the time of this entry.

The author of the report has provided an unofficial patch, available in the Source Message and at:

http://www.phpsecure.org/tutos/webchat.1-5.xoops.rc3.sql.injection.txt

Vendor URL: www.xoops.org/modules/news/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: None.

Source Message Contents

Date: Tue, 12 Nov 2002 05:55:49 -0500
Subject: WebChat for XOOPS RC3 SQL INJECTION


Text available at http://www.phpsecure.org/tutos/webchat.1-5.xoops.rc3.sql.injection.txt
Patch available on phpsecure.org


XOOPS RC3 WebChat Module SQL Injection

Tested with :   Xoops RC3
        WebChat 1-5
Author :    val2 - phpsecure.org for more info and ~patchs~


Lines 291-299 from modules/WebChat/index.php :

    if(isset($roomid)) {
      if($xoopsUser) {
        $wcusername = $xoopsUser->getVar("uname", "E");
        $uid = $xoopsUser->getVar("uid", "E");
      }
      join_room($roomid,$pass,$wcusername,$uid); /* <- calling joinroom function with param $roomid */
    } else {
      disp_index($errmsg);
    }

Lines 204-208 :
    function join_room($roomid,$pass,$username,$uid) {
      global $xoopsDB, $xoopsUser, $xoopsConfig, $ModName, $user, $sitename, $pnconfig, $language, $usertime;
      unset($errmsg);
      $sql = "SELECT rid, name, typ, pass, descript FROM ".$xoopsDB->prefix("chatroom")." WHERE rid = $roomid";
      $row = mysql_fetch_array(mysql_query($sql));
        [...]


PROBLEM :
    $roomid id is included whitout verification.

PATCH :
    add this line a the beginning of index.php or download PATCH from phpsecure.org :
    $roomid = addslashes($roomid);
    If you're paranoiac, shutdown your box and wait for an official release ;)

EXPLOIT :
    You're a PHP/SQL g00r00, you don't need an exploit :p


MORE PATCHS !
    www.phpsecure.org

MORE HOLES !
    www.phpsecure.org

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC