GForge Collaborative Development Environment > Projects > GForge > Tracker > Bugs

[#5552] Gforge 4.5.19 stable SQL injection

Submitted By: Fernando Munoz

Open Date 2008-10-05 19:05:16
Priority: Medium	Assignee: Nobody
Fixed In Release: wiki-0.92	Status: Open
Found In Release: wiki-0.92	Category: News
Group: gforge.org current version
Summary Gforge 4.5.19 stable SQL injection
Details Although this issue is not present on 4.6 rc, it should be fixed on the current stable version, since a lot of users are affected: There's no checking on the $_GET['offset'] parameter on the following files: /www/news/index.php /www/new/index.php This seems to affect only the postgresql backend, from file /www/include/database-pgsql.php there is no typecasting on $offset either: function db_query($qstring,$limit='-1',$offset=0) { global $QUERY_COUNT; $QUERY_COUNT++; if ($limit > 0) { if (!$offset \|\| $offset < 0) { $offset=0; } $qstring=$qstring." LIMIT $limit OFFSET $offset"; } if ($GLOBALS['IS_DEBUG']) $GLOBALS['G_DEBUGQUERY'] .= $qstring . "<p><br />\n"; global $conn; return @pg_exec($conn,$qstring); } Some vulnerable sites: https://pfe.epitech.net/news/?group_id=&limit=50&offset=50;select%201%20as%20id,CURRENT_USER%20as%20forum_id,%20version()%20as%20summary https://javahispano.net/news/?group_id=&limit=50&offset=50;select%201%20as%20id,CURRENT_USER%20as%20forum_id,%20version()%20as%20summary http://alioth.debian.org/news/?group_id=&limit=50&offset=50;select%201%20as%20id,CURRENT_USER%20as%20forum_id,%20version()%20as%20summary Fix: Typecasting to int on news.php and new.php file, or just typecasting on database-pgsql.php. The 4.6 rc already does an int typecasting on news.php and new.php files, so its not vulnerable to this.
Details Although this issue is not present on 4.6 rc, it should be fixed on the current stable version, since a lot of users are affected: There's no checking on the $_GET['offset'] parameter on the following files: /www/news/index.php /www/new/index.php This seems to affect only the postgresql backend, from file /www/include/database-pgsql.php there is no typecasting on $offset either: function db_query($qstring,$limit='-1',$offset=0) { global $QUERY_COUNT; $QUERY_COUNT++; if ($limit > 0) { if (!$offset \|\| $offset < 0) { $offset=0; } $qstring=$qstring." LIMIT $limit OFFSET $offset"; } if ($GLOBALS['IS_DEBUG']) $GLOBALS['G_DEBUGQUERY'] .= $qstring . "<p><br />\n"; global $conn; return @pg_exec($conn,$qstring); } Some vulnerable sites: https://pfe.epitech.net/news/?group_id=&limit=50&offset=50;select%201%20as%20id,CURRENT_USER%20as%20forum_id,%20version()%20as%20summary https://javahispano.net/news/?group_id=&limit=50&offset=50;select%201%20as%20id,CURRENT_USER%20as%20forum_id,%20version()%20as%20summary http://alioth.debian.org/news/?group_id=&limit=50&offset=50;select%201%20as%20id,CURRENT_USER%20as%20forum_id,%20version()%20as%20summary Fix: Typecasting to int on news.php and new.php file, or just typecasting on database-pgsql.php. The 4.6 rc already does an int typecasting on news.php and new.php files, so its not vulnerable to this.

Follow-ups

Submitted By: Fernando Munoz


Adddate: 2008-10-05 20:30:47
Another vulnerable file:

http://gforge.lug.fi.uba.ar/top/topusers.php?offset=0;select%201,version()%20as%20user_name,3,4,5;

Submitted By: Roland Mas 


Adddate: 2008-10-06 12:42:55
Fixed in SVN.

File Name	File Type	File Size	Posted By
No Files Were Found

Change Date	User Id	Field Name	Old Value	New Value
No Changes Were Found

File	Date	Previous Version	New Version	Message Log	By
No Commits Found

Dependent On Other Items

ID	Summary	Percent	Status	Delete
No Dependencies Were Found

Items Dependent On This Item

ID	Summary
No Dependencies Were Found

Items that are duplicates of this item

ID	Summary	Percent	Status	Delete
No Duplicates Were Found

This item is duplicate of...

ID	Summary	Percent	Status
No Duplicates Were Found

Associated Item	Comment
No Associated Items Found
Add Association

Tags
No Tags Found

Save changes

Back

MyGforge Home

GForge