WebChat for XOOPS RC3 SQL INJECTION

2002-11-12T00:00:00
ID SECURITYVULNS:DOC:3742
Type securityvulns
Reporter Securityvulns
Modified 2002-11-12T00:00:00

Description

Text available at http://www.phpsecure.org/tutos/webchat.1-5.xoops.rc3.sql.injection.txt Patch available on phpsecure.org

XOOPS RC3 WebChat Module SQL Injection

Tested with : Xoops RC3 WebChat 1-5 Author : val2 - phpsecure.org for more info and ~patchs~

Lines 291-299 from modules/WebChat/index.php :

if(isset($roomid)) {
  if($xoopsUser) {
    $wcusername = $xoopsUser->getVar("uname", "E");
    $uid = $xoopsUser->getVar("uid", "E");
  }
  join_room($roomid,$pass,$wcusername,$uid); /* <- calling joinroom function with param

$roomid */ } else { disp_index($errmsg); }

Lines 204-208 : function join_room($roomid,$pass,$username,$uid) { global $xoopsDB, $xoopsUser, $xoopsConfig, $ModName, $user, $sitename, $pnconfig, $language, $usertime; unset($errmsg); $sql = "SELECT rid, name, typ, pass, descript FROM ".$xoopsDB->prefix("chatroom")." WHERE rid = $roomid"; $row = mysql_fetch_array(mysql_query($sql)); [...]

PROBLEM : $roomid id is included whitout verification.

PATCH : add this line a the beginning of index.php or download PATCH from phpsecure.org : $roomid = addslashes($roomid); If you're paranoiac, shutdown your box and wait for an official release ;)

EXPLOIT : You're a PHP/SQL g00r00, you don't need an exploit :p

MORE PATCHS ! www.phpsecure.org

MORE HOLES ! www.phpsecure.org