OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Cabezon Aurélien (aurelien.cabezonisecurelabs.com)
Date: Tue Jan 29 2002 - 10:03:32 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -- [ Xoops SQL fragment disclose and SQL injection vulnerability ] --

    Discovered on 27/01/2002
    Vendor: http://xoops.sourceforge.net

    -- [ Overview ] --

    XOOPS is an open source portal script written extensively in object-oriented
    PHP. Backed with MySQL Database.
    There is 2 security issues :

    - Xoops disclose SQL query.
    - Xoops allow remote user to SQL query injection.

    -- [ Description ] --

    The userinfo.php script does not check for special meta-characters in user's
    inputs

    It is possible to make it crash using this kind of query :
    http://xoops-site/userinfo.php?uid=1;

    then it gives you this error report :

    -snip-
    MySQL Query Error: SELECT u.*, s.* FROM x_users u, x_users_status s WHERE
    u.uid=1; AND u.uid=s.uid
    Error number:1064
    Error message: You have an error in your SQL syntax near '; AND u.uid=s.uid'
    at line 1
    ERROR
    -snip-

    It dicloses many informations that help to SQL injection attack...
    Such as http://xoops-site/userinfo.php?uid=1[SQL Query]

    More about SQL injection
    http://www.owasp.org/projects/asac/iv-sqlinjection.shtml

    No exploit is given, but it was successfully tested.
    Xoops team has been alerted.

    -- [ Tested Version ] --

    Xoops RC1

    -- [ Discovered by ] --

    Cabezon Aurelien | aurelien.cabezoniSecureLabs.com
    http://www.iSecureLabs.com | French Security portal