Details
Although this issue is not present on 4.6 rc, it should be fixed on the current
stable version, since a lot of users are affected:
There's no checking on the $_GET['offset'] parameter on the following files:
/www/news/index.php
/www/new/index.php
This seems to affect only the postgresql backend, from file
/www/include/database-pgsql.php there is no typecasting on $offset either:
function db_query($qstring,$limit='-1',$offset=0) {
global $QUERY_COUNT;
$QUERY_COUNT++;
if ($limit > 0) {
if (!$offset || $offset < 0) {
$offset=0;
}
$qstring=$qstring." LIMIT $limit OFFSET $offset";
}
if ($GLOBALS['IS_DEBUG'])
$GLOBALS['G_DEBUGQUERY'] .= $qstring . "<p><br />\n";
global $conn;
return @pg_exec($conn,$qstring);
}
Some vulnerable sites:
https://pfe.epitech.net/news/?group_id=&limit=50&offset=50;select%201%20as%20id,CURRENT_USER%20as%20forum_id,%20version()%20as%20summary
https://javahispano.net/news/?group_id=&limit=50&offset=50;select%201%20as%20id,CURRENT_USER%20as%20forum_id,%20version()%20as%20summary
http://alioth.debian.org/news/?group_id=&limit=50&offset=50;select%201%20as%20id,CURRENT_USER%20as%20forum_id,%20version()%20as%20summary
Fix:
Typecasting to int on news.php and new.php file, or just typecasting on
database-pgsql.php. The 4.6 rc already does an int typecasting on news.php and
new.php files, so its not vulnerable to this.
|
Details
Although this issue is not present on 4.6 rc, it should be fixed on the current
stable version, since a lot of users are affected:
There's no checking on the $_GET['offset'] parameter on the following files:
/www/news/index.php
/www/new/index.php
This seems to affect only the postgresql backend, from file
/www/include/database-pgsql.php there is no typecasting on $offset either:
function db_query($qstring,$limit='-1',$offset=0) {
global $QUERY_COUNT;
$QUERY_COUNT++;
if ($limit > 0) {
if (!$offset || $offset < 0) {
$offset=0;
}
$qstring=$qstring." LIMIT $limit OFFSET $offset";
}
if ($GLOBALS['IS_DEBUG'])
$GLOBALS['G_DEBUGQUERY'] .= $qstring . "<p><br />\n";
global $conn;
return @pg_exec($conn,$qstring);
}
Some vulnerable sites:
https://pfe.epitech.net/news/?group_id=&limit=50&offset=50;select%201%20as%20id,CURRENT_USER%20as%20forum_id,%20version()%20as%20summary
https://javahispano.net/news/?group_id=&limit=50&offset=50;select%201%20as%20id,CURRENT_USER%20as%20forum_id,%20version()%20as%20summary
http://alioth.debian.org/news/?group_id=&limit=50&offset=50;select%201%20as%20id,CURRENT_USER%20as%20forum_id,%20version()%20as%20summary
Fix:
Typecasting to int on news.php and new.php file, or just typecasting on
database-pgsql.php. The 4.6 rc already does an int typecasting on news.php and
new.php files, so its not vulnerable to this.
|