Full Disclosure mailing list archives
Re: I have fixes for the Geeklog vulnerabilities
From: Jouko Pynnonen <jouko () iki fi>
Date: Mon, 13 Oct 2003 03:08:25 +0300
Hello, On Sun, Oct 05, 2003 at 09:00:30PM +0200, Lorenzo Hernandez Garcia-Hierro wrote:
- sql injections fix - // Geeklog SQL Injection prevention fix // by Lorenzo Hernandez Garcia-Hierro function DB_query($sql, $ignore_errors=1)
<snip>
Thats all but if you want to have a strong sql injection and error control go to line 441 , you see: function DB_error() { global $_DB; return $_DB->dbError(); } you can edit the function to write the ip of the client that make the error and block it , more agressive technics are easy to code ;-)
This is probably obvious, but ignoring errors or banning clients who cause them is not a particularly strong SQL injection control. This fix merely hides the error message, which is way insufficient. When exploiting a remote buffer overflow, you don't get an error message telling you which parameter or offset was wrong, but that hardly stops people from exploiting them. Even with this fix, it's possible to exploit an SQL injection bug in Geeklog (even though one you didn't mention) to hijack the admin or any other account - without generating an error message. I sent an exploit to the Geeklog developers today and will post it later if needed. And a couple of observations about Mr. Garcia-Hierro's IP banning code... Firstly, if X-forwarded-for: and Via: headers are set, you trust them and ignore the client's IP. These can be set by the client to anything, so a banned user can just choose an IP to send and circumvent the ban (using netcat, their own web proxy, patched browser, etc.). So both the IP (REMOTE_ADDR) and HTTP headers should be checked. Secondly, your MySQL backend does this:
$doit = mysql_query("SELECT * FROM banninip WHERE ip='$ip'",$db);
If the $ip variable comes from those HTTP headers too, your code has another SQL injection bug and probably exploitable with newer MySQL servers. A solution to both this one and Geeklog's problems is AFAIK use of addslashes(), which escapes single quotes and backslashes from user input. Thanks, -- Jouko Pynnönen Web: http://iki.fi/jouko/ jouko () iki fi GSM: +358 41 5504555 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- I have fixes for the Geeklog vulnerabilities Lorenzo Hernandez Garcia-Hierro (Oct 05)
- Re: I have fixes for the Geeklog vulnerabilities Jouko Pynnonen (Oct 12)
- <Possible follow-ups>
- Re: I have fixes for the Geeklog vulnerabilities Dirk Haun (Oct 05)
- Re: Re: I have fixes for the Geeklog vulnerabilities morning_wood (Oct 05)
- Re: Re: I have fixes for the Geeklog vulnerabilities devnull (Oct 05)
- Re: Re: I have fixes for the Geeklog vulnerabilities Michael Renzmann (Oct 05)
- Re: Re: I have fixes for the Geeklog vulnerabilities John Sage (Oct 06)
- Re: Re: I have fixes for the Geeklog vulnerabilities morning_wood (Oct 06)
- Re: Re: I have fixes for the Geeklog vulnerabilities John Sage (Oct 09)
- Re: Re: I have fixes for the Geeklog vulnerabilities morning_wood (Oct 09)
- Re: Re: I have fixes for the Geeklog vulnerabilities morning_wood (Oct 05)
- Re: Re: I have fixes for the Geeklog vulnerabilities Lorenzo Hernandez Garcia-Hierro (Oct 08)