Full Disclosure mailing list archives

Re: I have fixes for the Geeklog vulnerabilities

From: Jouko Pynnonen <jouko () iki fi>
Date: Mon, 13 Oct 2003 03:08:25 +0300


Hello,

On Sun, Oct 05, 2003 at 09:00:30PM +0200, Lorenzo Hernandez Garcia-Hierro wrote:

- sql injections fix  -

// Geeklog SQL Injection prevention fix
// by Lorenzo Hernandez Garcia-Hierro
function DB_query($sql, $ignore_errors=1)


<snip>

Thats all but if you want to have a strong sql injection and error control
go to line  441 , you see:

function DB_error()
{
    global $_DB;

    return $_DB->dbError();
}

you can edit the function to write the ip of the client that make the error
and block it , more agressive technics are easy to code ;-)



This is probably obvious, but ignoring errors or banning clients who 
cause them is not a particularly strong SQL injection control. This fix 
merely hides the error message, which is way insufficient. When
exploiting a remote buffer overflow, you don't get an error message 
telling you which parameter or offset was wrong, but that hardly stops 
people from exploiting them.

Even with this fix, it's possible to exploit an SQL injection 
bug in Geeklog (even though one you didn't mention) to hijack the admin 
or any other account - without  generating an error message. I sent an 
exploit to the Geeklog developers today and will post it later if 
needed.

And a couple of observations about Mr. Garcia-Hierro's IP banning 
code... Firstly, if X-forwarded-for: and Via: headers are set, you 
trust them and ignore the client's IP. These can be set by the client 
to anything, so a banned user can just choose an IP to send and 
circumvent the ban (using netcat, their own web proxy, patched browser, 
etc.). So both the IP (REMOTE_ADDR) and HTTP headers should be checked.

Secondly, your MySQL backend does this:

$doit = mysql_query("SELECT * FROM banninip WHERE ip='$ip'",$db);


If the $ip variable comes from those HTTP headers too, your code has 
another SQL injection bug and probably exploitable with newer MySQL 
servers.

A solution to both this one and Geeklog's problems is AFAIK use of 
addslashes(), which escapes single quotes and backslashes from user 
input.

Thanks,



-- 
Jouko Pynnönen          Web: http://iki.fi/jouko/
jouko () iki fi            GSM: +358 41 5504555

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

I have fixes for the Geeklog vulnerabilities Lorenzo Hernandez Garcia-Hierro (Oct 05)
- Re: I have fixes for the Geeklog vulnerabilities Jouko Pynnonen (Oct 12)
- <Possible follow-ups>
- Re: I have fixes for the Geeklog vulnerabilities Dirk Haun (Oct 05)
  - Re: Re: I have fixes for the Geeklog vulnerabilities morning_wood (Oct 05)
    - Re: Re: I have fixes for the Geeklog vulnerabilities devnull (Oct 05)
    - Re: Re: I have fixes for the Geeklog vulnerabilities Michael Renzmann (Oct 05)
    - Re: Re: I have fixes for the Geeklog vulnerabilities John Sage (Oct 06)
    - Re: Re: I have fixes for the Geeklog vulnerabilities morning_wood (Oct 06)
    - Re: Re: I have fixes for the Geeklog vulnerabilities John Sage (Oct 09)
    - Re: Re: I have fixes for the Geeklog vulnerabilities morning_wood (Oct 09)
  - Re: Re: I have fixes for the Geeklog vulnerabilities jelmer (Oct 07)
    - Re: Re: I have fixes for the Geeklog vulnerabilities Lorenzo Hernandez Garcia-Hierro (Oct 08)

(Thread continues...)