Web_Links 7.9 Issue

Posted: Tue Feb 06, 2007 6:28 pm

I got a genuine UNION attack today, but sentinel caught it. Cool

This was directed at the Web_Links module.

While examining the code (Nuke 7.9 patched) to see what he was trying to do, I noticed that there are several cases where the $lid variable is not sanitized before use. See the function viewlinkeditorial() for example. It makes a SQL query with an unsanitized $lid near the top of the function, then sanitizes it, and does some more queries with it. That first query is vulnerable.

I fixed it by finding the switch($l_op) at the bottom of the file. Right before the switch I added a

$lid = intval($lid);

After looking over the code it doesn't look like his attack would have worked on my Nuke anyway; his column count didn't match for the UNION to succeed.

I am looking forward to RavenNuke 2.10... Cool

(As an aside, there are lots of places in the functions where they do this: $lid = intval(trim($lid));...why the trim()? Doesn't seem necessary to me.)

More aside:
This was probably the 2nd or 3rd time that I've been attacked that I know of. I did a whois on the IP and traced it to some Chicago datacenter. I emailed the abuse account about it. He said there wasn't much he could do as they were using a proxy. He might be able to go through his logs but he didn't sound to interested in doing that. Maybe I'm just new to this, but I find this kind of thing really unsettling. Makes you question your faith in humanity when people do crap like this.

Posted: Tue Feb 06, 2007 10:44 pm

Hmm you are correct .. it seems that Patched 3.3 for 7.9 has some oversights. I don't see it in Patched for 7.8 though.

My personal copy already fixed this. No problems in RavenNuke either
I don't see trim() being necessary either

Posted: Wed Feb 07, 2007 5:37 pm

I'll be honest right up front that the following may or may not apply to 7.9. Since I do not use that version, I don't know. But, in 7.6 (RavenNuke 2.02.02 and below) there was another issue where an add could occur even though the "anonymous" posting is turned off. I ended up changing the "Add" function as follows:

Code:




function Add($title, $url, $auth_name, $cat, $description, $email) {


    global $prefix, $db, $user, $links_anonaddlinklock;


    if (is_user($user) || $links_anonaddlinklock == 1) { //RN0000530 - Disable anonymous exploits!


        $result = $db->sql_query("SELECT url from ".$prefix."_links_links where url='$url'");


        $numrows = $db->sql_numrows($result);


        if ($numrows>0) {


            include_once("header.php");


            menu(1);


            echo "<br />";


            OpenTable();


            echo "<center><b>"._LINKALREADYEXT."</b><br /><br />"


                .""._GOBACK."";


            CloseTable();


            include_once("footer.php");


        } else {


            if(is_user($user)) {


                $user2 = base64_decode($user);


                $user2 = addslashes($user2);


                $cookie = explode(":", $user2);


                cookiedecode($user);


                $submitter = $cookie[1];


            }


            // Check if Title exist


            if (empty($title)) {


                include_once("header.php");


                menu(1);


                echo "<br />";


                OpenTable();


                echo "<center><b>"._LINKNOTITLE."</b><br /><br />"


                    .""._GOBACK."";


                CloseTable();


                include_once("footer.php");


            }


            // Check if URL exist


            if (empty($url)) {


                include_once("header.php");


                menu(1);


                echo "<br />";


                OpenTable();


                echo "<center><b>"._LINKNOURL."</b><br /><br />"


                    .""._GOBACK."";


                CloseTable();


                include_once("footer.php");


            }


            // Check if Description exist


            if (empty($description)) {


                include_once("header.php");


                menu(1);


                echo "<br />";


                OpenTable();


                echo "<center><b>"._LINKNODESC."</b><br /><br />"


                    .""._GOBACK."";


                CloseTable();


                include_once("footer.php");


            }


            $cat = explode("-", $cat);


            if (empty($cat[1])) {


                $cat[1] = 0;


            }


            $title = stripslashes(check_html(FixQuotes($title, "nohtml")));


            $url = stripslashes(check_html($url, "nohtml"));


            $description = stripslashes(check_html(FixQuotes($description), "html"));


            $auth_name = stripslashes(check_html($auth_name, "nohtml"));


            if (!empty($email)) {


                if (($email = validate_mail(stripslashes(check_html($email, "nohtml")))) === false) {


                    die();


                }


            }


            $cat[0] = intval($cat[0]);


            $cat[1] = intval($cat[1]);


            $num_new = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_links_newlink WHERE title='$title' OR url='$url' OR description='$description'"));


            if ($num_new == 0) {


                $db->sql_query("insert into ".$prefix."_links_newlink values (NULL, '$cat[0]', '$cat[1]', '".addslashes($title)."', '".addslashes($url)."', '".addslashes($description)."', '".addslashes($auth_name)."', '".addslashes($email)."', '".addslashes($submitter)."')");


            }


            include_once("header.php");


            menu(1);


            echo "<br />";


            OpenTable();


            echo "<center><b>"._LINKRECEIVED."</b><br />";


            if (!empty($email)) {


                echo _EMAILWHENADD;


            } else {


                echo _CHECKFORIT;


            }


            CloseTable();


            include_once("footer.php");


        }


    } else { //RN0000530 - Start of Disable anonymous exploits!


        include_once('header.php');


        menu(1);


        echo '<br />';


        OpenTable();


        echo '<center>'._LINKSNOTUSER1.'<br />'


            ._LINKSNOTUSER2.'<br /><br />'


            ._LINKSNOTUSER3.'<br />'


            ._LINKSNOTUSER4.'<br />'


            ._LINKSNOTUSER5.'<br />'


            ._LINKSNOTUSER6.'<br />'


            ._LINKSNOTUSER7.'<br /><br />'


            ._LINKSNOTUSER8;


        CloseTable();


        include_once('footer.php');


    } //RN0000530 - End of Disable anonymous exploits!


}

I figured it could not hurt to get a second/third/... opinion. Wink

Posted: Thu Feb 08, 2007 2:16 am

Yea I saw that you fixed this montgeo. Good catch, I know some other comment parts also had this problem

Posted: Thu Feb 08, 2007 6:47 pm

Quote:

I know some other comment parts also had this problem

Uh, oh, I don't recall seeing anything there. If you know what you are looking for, do you mind taking a quick look at the code? Much ablidged kind Sir!

Posted: Thu Feb 08, 2007 10:29 pm

I believe at one point, the Downloads and News comments did this too. I believe it should be correct now for all areas