OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
possible SQL injection in Subdreamer

From: GHC team (fosterghc.ru)
Date: Fri Mar 18 2005 - 14:15:41 CST

//*==========================================*//
\\ GHC -> Subdreamer <- ADVISORY
// Product: Subdreamer
\\ Version: Subdreamer Light
// URL: www.subdreamer.com
\\ VULNERABILITY CLASS: SQL injection
//*==========================================*//

[Product Description]
"Powered by PHP and MySQL, Subdreamer provides the ability to create dynamic websites while giving full control over every section of the site.
A powerful content management system with an amazing skin engine which provides users with unique and cool looking skins!" (from homepage).
Subdreamer is non-free CMS.
Freeware version - Subdreamer Light - avaliable for download.

[Summary]
 Unsufficient filtration of user input data can lead to SQL injection vulnerability .

[Details]
In case if magic_quotes_gpc=0, some global arrays drive through
addslashes() function.

--[script includes/core.php]--
if(!get_magic_quotes_gpc()) // add slashes if gpc is off
{
  $_POST = AddSlashesArray($_POST);
  $_GET = AddSlashesArray($_GET);
  $_COOKIE = AddSlashesArray($_COOKIE);
--[/script includes/core.php]--

But in script's functions variables are defined as "global", not from global POST or GET arrays.
This can lead to avoid filtration with addslashes() if register_global=1.

--[script includes/core.php]--
if(function_exists('ini_get'))
{
  $globalsoption = ini_get('register_globals');
}
else
{
  $globalsoption = get_cfg_var('register_globals');
}
if($globalsoption != 1)
{
  extract($HTTP_SERVER_VARS, EXTR_SKIP);
  extract($HTTP_COOKIE_VARS, EXTR_SKIP);
  extract($HTTP_POST_FILES, EXTR_SKIP);
  extract($HTTP_POST_VARS, EXTR_SKIP);
  extract($HTTP_GET_VARS, EXTR_SKIP);
  extract($HTTP_ENV_VARS, EXTR_SKIP);
  extract($HTTP_SESSION_VARS, EXTR_SKIP);
}
--[/script includes/core.php]--

In this case an attacker can make SQL injection assault through some variables which are defined as global in functions.

EXAMPLE
+--------------+
|SQL injection |
+--------------+
Vulnerable script: plugins/p17_image_gallery/imagegallery.php

--[code]--
function p17_DisplayImages($sectionid, $start)
{
  global $DB;
  global $categoryid;
  global $p17_imageid;
 [...]
 if(isset($p17_imageid))
 {
 $image = $DB->query_first("SELECT * FROM p17_images WHERE imageid = '$p17_imageid'");
 [...]
 <td style="padding-top: 20px;" align="center"><img src="plugins/p17_image_gallery/images/'.$image['filename'].'" /></td>
--[/code]--

[Exploit]
http://subdreamer/index.php?categoryid=3&p17_sectionid=1&p17_imageid=[SQL code]
  

/* ================================================== */
/* www.ghc.ru -- security games & challenges */
/* ================================================== */
/* greets to: 1dt.w0lf & RST.void.ru */
/* and e-defense group. */
/* ================================================== */