Borek99
30-01-2008, 19:55
Witam
ostatnio dostałem e-maila o treści
http://securityreason.com/securityalert/631
w trosce o lepsze zabezpieczenie strony ;)
na stronie tej jest info:
Advisory Text :
AkoComment is a well known and widely used add-on for the Mambo
and
Joomla Content Management Systems. It allows users to post
comments to
articles.
AkoComment 2.0 suffers from an SQL injection vulnerability
(components/com_akocomment/akocomment.php):
# Clear any HTML and SQL injections
$title = strip_tags($title);
$comment = strip_tags($comment);
$title = mysql_escape_string($title);
$comment = mysql_escape_string($comment);
# Perform database query
$date = date( "Y-m-d H:i:s" );
$ip = getenv('REMOTE_ADDR');
$query2 = "INSERT INTO #__akocomment SET
contentid='$contentid',
ip='$ip', name='$acname', title='$title', comment='$comment',
date='$date', published='$ac_autopublish';";
$database->setQuery( $query2 );
$database->query();
While the user provided comment and comment title is properly
sanitized, the client provided $acname and $contentid are not.
These
correspond to hidden, value-prefilled FORM variables in the
akocomment
created html form.
It is widely known that just because the values are hidden and
not
changeable in a standard web browser doesn't mean they are not
client
provided and thus aren't trivially modified.
Since the variables are not sanitized in any way the SQL
injection
itself is straight-forward, provided magic_quotes_gpc = off.
Solution:
To fix this vulnerability put the following lines before the
"#
Perform database query" line:
$contentid = intval(strip_tags($contentid));
$acname = mysql_escape_string(strip_tags($acname));
--
Stefan Keller <skeller (at) pobox (dot) com [email
concealed]>
może ktoś mi powiedzieć o co chodzi?
ostatnio dostałem e-maila o treści
http://securityreason.com/securityalert/631
w trosce o lepsze zabezpieczenie strony ;)
na stronie tej jest info:
Advisory Text :
AkoComment is a well known and widely used add-on for the Mambo
and
Joomla Content Management Systems. It allows users to post
comments to
articles.
AkoComment 2.0 suffers from an SQL injection vulnerability
(components/com_akocomment/akocomment.php):
# Clear any HTML and SQL injections
$title = strip_tags($title);
$comment = strip_tags($comment);
$title = mysql_escape_string($title);
$comment = mysql_escape_string($comment);
# Perform database query
$date = date( "Y-m-d H:i:s" );
$ip = getenv('REMOTE_ADDR');
$query2 = "INSERT INTO #__akocomment SET
contentid='$contentid',
ip='$ip', name='$acname', title='$title', comment='$comment',
date='$date', published='$ac_autopublish';";
$database->setQuery( $query2 );
$database->query();
While the user provided comment and comment title is properly
sanitized, the client provided $acname and $contentid are not.
These
correspond to hidden, value-prefilled FORM variables in the
akocomment
created html form.
It is widely known that just because the values are hidden and
not
changeable in a standard web browser doesn't mean they are not
client
provided and thus aren't trivially modified.
Since the variables are not sanitized in any way the SQL
injection
itself is straight-forward, provided magic_quotes_gpc = off.
Solution:
To fix this vulnerability put the following lines before the
"#
Perform database query" line:
$contentid = intval(strip_tags($contentid));
$acname = mysql_escape_string(strip_tags($acname));
--
Stefan Keller <skeller (at) pobox (dot) com [email
concealed]>
może ktoś mi powiedzieć o co chodzi?