sql injection help

  • snout
  • Newbie
  • Newbie
  • snout
  • Posts: 10

Post 3+ Months Ago

Got a php script i would like to use, Softbiz Web Hosting Directory, but there is an sql injection vulnerability that is all over the security websites.

Input passed to the "cid" parameter in "search_result.php" and "browsecats.php", to the "sbres_id" parameter in "review.php", and to the "h_id" parameter in "email.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Example:
http://[host]/search_result.php?cid=[sql]
http://[host]/browsecats.php?cid=[sql]
http://[host]/review.php?sbres_id=[sql]
http://[host]/email.php?&h_id=[sql]

Is there any general protection steps that can be taken to fix this? I am not able to go over the php code and fix it all manually. Maybe there is a fix by someone else since there is no fix by vendor.
Any help would be appreciated.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

have they released a patch for it?
  • snout
  • Newbie
  • Newbie
  • snout
  • Posts: 10

Post 3+ Months Ago

snout wrote:
... Maybe there is a fix by someone else since there is no fix by vendor....


No fix by developer that is.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

I would mail them as this injection vuln must have been fixed
  • snout
  • Newbie
  • Newbie
  • snout
  • Posts: 10

Post 3+ Months Ago

Tried that already, couldnt get it done. The only way is to fix it by myself and thats why i ask for help.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

well you are going to have to reverse engineer the code, write some sort of function that escapes sql special characters.

Unfortunately I don't have the time to do that write now, sorry
  • snout
  • Newbie
  • Newbie
  • snout
  • Posts: 10

Post 3+ Months Ago

There is no sql injection in the login form, so i dont think i need to pass the strings through the mysql_real_escape_string()

An injection example that will delete contents of a table can be

http://[host]/browsecats.php?cid=1'DELETE FROM categories WHERE 1='1;

and in that case maybe all i need is make sure that the id is an integer and add this into the php file

$iID = (int) $_GET['id'];
$sQuery = "SELECT id, title, body FROM categories WHERE id='$iID'";

I am rather unexperienced, dont really understand how to fix it.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

I don't understand why they aren't going to provide support for a product they sell. Specially with that big ass "Technical Support 100% Free" banner on the site. :scratchhead:

Well, there is the posibility that they don't provide support to anyone without a liscensed copy, but that would mean you didn't have a liscensed copy.
  • pyx
  • Novice
  • Novice
  • User avatar
  • Posts: 30
  • Loc: Leeds

Post 3+ Months Ago

snout wrote:
There is no sql injection in the login form, so i dont think i need to pass the strings through the mysql_real_escape_string()

An injection example that will delete contents of a table can be

http://[host]/browsecats.php?cid=1'DELETE FROM categories WHERE 1='1;

and in that case maybe all i need is make sure that the id is an integer and add this into the php file

$iID = (int) $_GET['id'];
$sQuery = "SELECT id, title, body FROM categories WHERE id='$iID'";

I am rather unexperienced, dont really understand how to fix it.


Yeah, casting numbers with (int) will help, but also you should make sure that any input into fields you know are of [..]int type are not encased in single quotes. That way, if someone tries to add a quote in sql injection then it throws an error.
Anything else should be mysql_real_escape_stringed and, if necessary, stripped of slashes.
Also, before entering anything that you can verfiy the input of (such as a select box with a finite number of legal responses), check it and reject anything that isn't what is expected.

I don't have the time to look through the code, but it shouldn't take too long to make sure at least these basic security checks are in place.

Also, if you have control of the server, you can restrict the number of mysql queries in one mysql_query() to 1, which prevents users appending things. Though this can get rather annoying, as I found out when my hosting company did it to me!
  • snout
  • Newbie
  • Newbie
  • snout
  • Posts: 10

Post 3+ Months Ago

I see... this is what i came to:

$cid = is_nan($_REQUEST["cid"]) ? die('hacker') or $_REQUEST["cid"];
$child_cat=mysql_query("select * from sb_host_categories where sb_pid=".$cid);

Should it do the work ?
  • pyx
  • Novice
  • Novice
  • User avatar
  • Posts: 30
  • Loc: Leeds

Post 3+ Months Ago

As long as the PHP version your server is running is greater then 4.2 then yeah, that should be fine.
Possibly out of paranoia, I always check for numeric values and then cast them as ints after anyway. don't know if it makes a difference really, but it makes me feel better

In this case I'd change it to
$cid = is_nan($_REQUEST["cid"]) ? die('hacker') or (int)$_REQUEST["cid"];
but, as I say, that's just my paranoia :)

Post Information

  • Total Posts in this topic: 11 posts
  • Users browsing this forum: No registered users and 3 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.