1.3.1 security alert (sql injection & file inclusion)
|
|
|
|
07-01-2005, 10:13 AM |
|
1.3.1 security alert (sql injection & file inclusion) |
Post #1 |
|
GHC
Registered User
Joined: Jul 2005
|
We've tried to contact authors from "contact" page, bu still no answer received. So, we decided to publish security alert here.
[Summary]
Insufficient filtration of user input data can lead to SQL injection
vulnerability and arbitrary file including.
[Details]
-----------[SQL injection]----------
Vulnerable script: class.ticket.php
Vulnerable code:
-- Code: --
function CloseTicket($ticket) {
mysql_query("UPDATE tickets SET status = 'closed' WHERE ID=$ticket"); // - SQL injection
}
-[skip]-
function ReopenTicket($ticket) {
mysql_query("UPDATE tickets SET status='open' WHERE ID=$ticket"); // - SQL injection
}
-[skip]-
function PostMessage($ticket, $message, $headers='', $notify=true) {
global $config;
$headers = $config[save_headers] ? $headers: "";
$gmtime = (time() - date("Z")) + 3600;
ReopenTicket($ticket);
mysql_query("INSERT INTO ticket_messages (ticket, message, headers, timestamp)
VALUES($ticket, '" . addslashes(striptags($message)) . // - SQL injection
"', '" . addslashes($headers) . "', FROM_UNIXTIME('$gmtime') + 0)");
if ($config[alert_new]) {
email_alert($ticket, mysql_insert_id());
}
$t = mysql_fetch_array(mysql_query
("SELECT email, cat FROM tickets WHERE ID=$ticket")); // - SQL injection
--
--
It is possible to inject arbitrary SQL code through POST query.
----------[Arbitrary file including (local)]----------
$inc variable is not defined in files vew.php and open.php in some cases.
If "Register Globals" is "on", an attacker can define this variable to invoke arbitrary local file inclusion.
Vulnerable code:
--Code: --
include(INCLUDE_DIR."/$inc.php");
--
--
POC:
http://vulnsite/osticket/view.php?inc=x
Server answer:
[23-Jun-2005 00:57:40] PHP Warning: main():
Failed opening '/home/vulnsite/public_html/_osticket/include/x.php'
for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php')
in /home/vulnsite/public_html/_osticket/view.php on line 98
Belive this will help authors to develope security bug fixes.
GHC staff
www.ghc.ru
www.rst.void.ru
|
Posts: 1 |
|
|
|