Showing posts with label chipmunk forum security. Show all posts
Showing posts with label chipmunk forum security. Show all posts
March 04, 2012
New security bug in Chipmunk forum script
Chipmunk forum script is still used by a few webmasters (including me) so I'm posting this new security vulnerability here and I request all the owners to patch it ASAP.
The problem lies with a SQL query which updates user's current location on forum.
Query:
UPDATE <prefix>_users SET userwhere = '$_SESSION[user] is viewing thread: $threadTitle' where username = '$_SESSION[user]'
The variable $threadTitle is actually sanitized before storing it in posts table but when it is retrieved, it regains it's original form. Now this retrieved form is used inside query without escaping which can be easily exploited.
Say original thread title was "Happy new year", the stored one would be "Happy new year" and the retrieved one would be "Happy new year".
Now suppose a notorious user has arrived and he tries follow thread title "',status='9',userwhere=userwhere--", then the stored thread title is "Hacked\',status=\'9\',userwhere=userwhere--". This is okay but when it is retrived, it regains it's original form i.e. "Hacked',status='9',userwhere=userwhere--". When this title is used in the query,
the resulting query becomes
After re-arranging :
When this query is executed, all users are upgraded to a status 9 which is owner's status in Chipmunk forum. Similarly user can craft another set of query to do something else. The hacker can also extend this to inject something inside posts or forum.
How to fix it ?
It's easy! Follow the golden rule : Always sanitize a variable before placing it in a query.
Then proceed with the query
PS: I have not properly explain how to hack for I don't want anymore to hack anything after reading this blog post.
Don't copy my findings and tutorials.
Don't hack someone's forum based on this knowledge.
Contact me if you've issues implementing the fix. Good luck and Enjoy!
Read More
The problem lies with a SQL query which updates user's current location on forum.
Query:
UPDATE <prefix>_users SET userwhere = '$_SESSION[user] is viewing thread: $threadTitle' where username = '$_SESSION[user]'
The variable $threadTitle is actually sanitized before storing it in posts table but when it is retrieved, it regains it's original form. Now this retrieved form is used inside query without escaping which can be easily exploited.
Say original thread title was "Happy new year", the stored one would be "Happy new year" and the retrieved one would be "Happy new year".
Now suppose a notorious user has arrived and he tries follow thread title "',status='9',userwhere=userwhere--", then the stored thread title is "Hacked\',status=\'9\',userwhere=userwhere--". This is okay but when it is retrived, it regains it's original form i.e. "Hacked',status='9',userwhere=userwhere--". When this title is used in the query,
the resulting query becomes
UPDATE <prefix>_users SET
userwhere = '$_SESSION[user] is viewing
thread:',status='9',userwhere=userwhere--' where username =
'$_SESSION[user]'
After re-arranging :
UPDATE <prefix>_users SET
userwhere = '$_SESSION[user] is viewing
thread: ' ,status='9' , userwhere = userwhere--
How to fix it ?
It's easy! Follow the golden rule : Always sanitize a variable before placing it in a query.
// if you use mysqli
$threadTitle = $db->real_escape_string($threadTitle);
// Or if you use Mysql
$threadTitle = mysql_real_escape_string($threadTitle);
Then proceed with the query
PS: I have not properly explain how to hack for I don't want anymore to hack anything after reading this blog post.
Don't copy my findings and tutorials.
Don't hack someone's forum based on this knowledge.
Contact me if you've issues implementing the fix. Good luck and Enjoy!
Subscribe to:
Posts (Atom)