WF-Downloads SQL Injection Vulnerability [Module troubleshooting]

1

WF-Downloads SQL Injection Vulnerability

2005/11/15 15:59
smdcom
Posts: 901
Since: 2004/4/27

http://secunia.com/advisories/17575/

Quote:

Secunia Advisory: SA17575
Release Date: 2005-11-15

Critical:
Moderately critical
Impact: Manipulation of data
Where: From remote

Solution Status:
Unpatched

Software: WF-Downloads 2.x (module for Xoops)

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
rgod has reported a vulnerability in the WF-Downloads module for Xoops, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "list" parameter in "viewcat.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerability has been reported in version 2.05. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
rgod

Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

I've talked with Bender, there's no PATCH release YET. But make sure you've XOOPS Protector Module Installed.

Official XOOPS Malaysian Support Site - www.xoopsmalaysia.org
Put your site @http://www.xoops-topsites.com

2

Re: WF-Downloads SQL Injection Vulnerability

2005/11/15 17:03
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

i think changing $_GET['list'] to $_POST['list'] may make it harder.

the rest i'm not sure about

i could be way out here, but what about line 39:

$pathstring .= $mytree->getNicePathFromId($cid, "title", "viewcat.php?op=");

adding stripslashes & trim to the path?

$pathstring .= stripslashes(trim($mytree->getNicePathFromId($cid, "title", "viewcat.php?op=")));

don't quote me on it though cos i'm certainly no programmer.. just a humble beginner.

3

Re: WF-Downloads SQL Injection Vulnerability

2005/11/15 18:34
smdcom
Posts: 901
Since: 2004/4/27

This is a suggested quick fix. Correct me if i'm wrong.

Add:


// paranoid sanitization -- only let the alphanumeric set through

$str_list = isset($_GET['list']) ? $_GET['list'] : 0; 

$list = preg_replace("/[^a-zA-Z0-9]/", "", $str_list);

Change (line 127):


$sql .= "WHERE title LIKE '" . [color=ff0000][b]$list[/b][/color] . "%' AND published > 0 AND 

            published <= " . time() . " AND (expired = 0 OR expired > " . time() . ") AND offline = 0 

            ORDER BY " . $orderby;

Official XOOPS Malaysian Support Site - www.xoopsmalaysia.org
Put your site @http://www.xoops-topsites.com

4

Re: WF-Downloads SQL Injection Vulnerability

2005/11/15 19:35
frankblack
Just can't stay away
Posts: 830
Since: 2005/6/13

A good idea would be to enable magic_quotes_gpc as told in the advisory.

5

Re: WF-Downloads SQL Injection Vulnerability

2005/11/15 21:23
Rhomal
Quite a regular
Posts: 274
Since: 2004/10/5

Quote:

smdcom wrote:
This is a suggested quick fix. Correct me if i'm wrong.

Add:
// paranoid sanitization -- only let the alphanumeric set through $str_list = isset($_GET['list']) ? $_GET['list'] : 0; $list = preg_replace("/[^a-zA-Z0-9]/", "", $str_list);

Change (line 127):
$sql .= "WHERE title LIKE '" . [color=ff0000][b]$list[/b][/color] . "%' AND published > 0 AND published <= " . time() . " AND (expired = 0 OR expired > " . time() . ") AND offline = 0 ORDER BY " . $orderby;

You say 'add' that code, but where do you do so?

6

Re: WF-Downloads SQL Injection Vulnerability

2005/11/15 21:26
Bender
Home away from home
Posts: 1899
Since: 2003/3/10

Download the edited file here: (viewcat.php in module root)

http://www.wf-projects.com/uploads/wfdownload_security_fix_for_v205a_205b.zip

Sorry, this signature is experiencing technical difficulties. We will return you to the sheduled signature as soon as possible ...

7

Re: WF-Downloads SQL Injection Vulnerability

2005/11/19 20:51
Bender
Home away from home
Posts: 1899
Since: 2003/3/10

Patch has been updated to take care of another possible problem:

http://www.wf-projects.com/uploads/wfdownload_security_fix_for_v205a_205b_fixversion_2.zip

Thanks to ackbarr and smdcom!

Please note: File was changed. If you downloaded
wfdownload_security_fix_for_v205a_205b_fixversion2.zip please download again. It was replaced by the file linked above now. (filename has to end with fixversion_2 instead of fixversion2)

Sorry, this signature is experiencing technical difficulties. We will return you to the sheduled signature as soon as possible ...

Stats
Goal:	$100.00
Due Date:	May 31
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

WF-Downloads SQL Injection Vulnerability

Re: WF-Downloads SQL Injection Vulnerability

Re: WF-Downloads SQL Injection Vulnerability

Re: WF-Downloads SQL Injection Vulnerability

Re: WF-Downloads SQL Injection Vulnerability

Re: WF-Downloads SQL Injection Vulnerability

Re: WF-Downloads SQL Injection Vulnerability

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}