subdreamerSQL.txt

2005-03-22T00:00:00
ID PACKETSTORM:36712
Type packetstorm
Reporter ghc.ru
Modified 2005-03-22T00:00:00

Description

                                        
                                            `  
  
//*==========================================*//  
\\ GHC -> Subdreamer <- ADVISORY  
// Product: Subdreamer  
\\ Version: Subdreamer Light  
// URL: www.subdreamer.com  
\\ VULNERABILITY CLASS: SQL injection  
//*==========================================*//  
  
[Product Description]  
"Powered by PHP and MySQL, Subdreamer provides the ability to create dynamic websites while giving full control over every section of the site.   
A powerful content management system with an amazing skin engine which provides users with unique and cool looking skins!" (from homepage).   
Subdreamer is non-free CMS.   
Freeware version - Subdreamer Light - avaliable for download.  
  
[Summary]  
Unsufficient filtration of user input data can lead to SQL injection vulnerability .  
  
[Details]  
In case if magic_quotes_gpc=0, some global arrays drive through   
addslashes() function.  
  
--[script includes/core.php]--  
if(!get_magic_quotes_gpc()) // add slashes if gpc is off  
{  
$_POST = AddSlashesArray($_POST);  
$_GET = AddSlashesArray($_GET);  
$_COOKIE = AddSlashesArray($_COOKIE);  
--[/script includes/core.php]--  
  
But in script's functions variables are defined as "global", not from global POST or GET arrays.   
This can lead to avoid filtration with addslashes() if register_global=1.   
  
--[script includes/core.php]--  
if(function_exists('ini_get'))  
{  
$globalsoption = ini_get('register_globals');  
}  
else  
{  
$globalsoption = get_cfg_var('register_globals');  
}  
if($globalsoption != 1)  
{  
@extract($HTTP_SERVER_VARS, EXTR_SKIP);  
@extract($HTTP_COOKIE_VARS, EXTR_SKIP);  
@extract($HTTP_POST_FILES, EXTR_SKIP);  
@extract($HTTP_POST_VARS, EXTR_SKIP);  
@extract($HTTP_GET_VARS, EXTR_SKIP);  
@extract($HTTP_ENV_VARS, EXTR_SKIP);  
@extract($HTTP_SESSION_VARS, EXTR_SKIP);  
}  
--[/script includes/core.php]--  
  
In this case an attacker can make SQL injection assault through some variables which are defined as global in functions.  
  
EXAMPLE  
+--------------+  
|SQL injection |  
+--------------+  
Vulnerable script: plugins/p17_image_gallery/imagegallery.php   
  
--[code]--   
function p17_DisplayImages($sectionid, $start)  
{  
global $DB;  
global $categoryid;  
global $p17_imageid;  
[...]  
if(isset($p17_imageid))  
{  
$image = $DB->query_first("SELECT * FROM p17_images WHERE imageid = '$p17_imageid'");  
[...]  
<td style="padding-top: 20px;" align="center"><img src="plugins/p17_image_gallery/images/'.$image['filename'].'" /></td>  
--[/code]--  
  
[Exploit]  
http://subdreamer/index.php?categoryid=3&p17_sectionid=1&p17_imageid=[SQL code]  
  
  
/* ================================================== */  
/* www.ghc.ru -- security games & challenges */  
/* ================================================== */  
/* greets to: 1dt.w0lf & RST.void.ru */  
/* and e-defense group. */  
/* ================================================== */  
`