FS#7883 - Possible SQL injection vulnerabilities

Attached to Project: AUR web interface
Opened by . (Thralas) - Thursday, 23 August 2007, 22:04 GMT
Last edited by Roman Kyrylych (Romashka) - Thursday, 04 October 2007, 17:46 GMT
Task Type Bug Report
Category Backend
Status Closed
Assigned To Paul Mattal (paul)
Architecture All
Severity Critical
Priority Normal
Reported Version 1.2.9
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Whilst going through the AUR SVN trunk code I've discovered some potential SQL injection vulnerabilities. The severity depends on magic_quotes - possibly 'preventing' exploitation if it's turned on. Another limit may be the maximum of 32 injectable characters.

I can at least confirm this issue on my local copy of the AUR - revision 356, magic_quotes off (pretty much default). A malicious user may register using a username containing a SQL injection string - which is properly escaped and inserted into the database at registration. However upon displaying index.php (as the logged-in attacker) the username is used unsanitized in a query. A quick and dirty fix can be found in my git repository - I'm a bit short of time currently, I'm not yet done going through the code.

[url=http://ius.student.utwente.nl/cgi-bin/gitweb.cgi?p=aur/.git;a=commitdiff;h=aa48302e539e91845970c229c5a3c030185c72fc;hp=4ae07bfb3e7491ac8a261ee9d0af8f5e151ff2fa]Fix diff[/url] (against the latest SVN trunk revision)
This task depends upon

Closed by  Roman Kyrylych (Romashka)
Thursday, 04 October 2007, 17:46 GMT
Reason for closing:  Fixed
Comment by tardo (tardo) - Friday, 07 September 2007, 23:17 GMT
Here's a patch that replaces all mysql_escape_string() with mysql_real_escape_string(). Synced to revision 356 of course.
   mysql-injections-fix.patch (18.8 KiB)
Comment by tardo (tardo) - Saturday, 08 September 2007, 00:52 GMT
Apparently there are more vulnerabilities... especially if magic_quotes_gpc() is off.

/me goes sifting through code.

For the time being, can we get the AUR site synced to the latest revision? It does fix some small bugs.
Comment by . (Thralas) - Saturday, 08 September 2007, 01:02 GMT
The patch above by tardo does not resolve the vulnerability (the git commitdiff from my initial report should, however [1]). Use of mysql_real_escape_string() instead of mysql_escape_string() is good practise though. I have a 'global replace' of it in my git repo. [2]

[1] = http://ius.student.utwente.nl/cgi-bin/gitweb.cgi?p=aur/.git;a=commitdiff;h=aa48302e539e91845970c229c5a3c030185c72fc
[2] = http://ius.student.utwente.nl/cgi-bin/gitweb.cgi?p=aur/.git;a=commitdiff;h=4ae07bfb3e7491ac8a261ee9d0af8f5e151ff2fa
Comment by . (Thralas) - Thursday, 04 October 2007, 17:01 GMT
It's been fixed. You may close it.

Loading...