Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

AkoComment SQL injection vulnerability

from [Stefan Keller] Network Security [Permanent Link]
Subject: AkoComment SQL injection vulnerability
Date: Sun, 26 Mar 2006 20:36:51 +0200 
AkoComment is a well known and widely used add-on for the Mambo and
Joomla Content Management Systems. It allows users to post comments to
articles.

AkoComment 2.0 suffers from an SQL injection vulnerability
(components/com_akocomment/akocomment.php):

    # Clear any HTML and SQL injections
    $title   = strip_tags($title);
    $comment = strip_tags($comment);
    $title   = mysql_escape_string($title);
    $comment = mysql_escape_string($comment);

    # Perform database query
    $date      = date( "Y-m-d H:i:s" );
    $ip        = getenv('REMOTE_ADDR');
    $query2 = "INSERT INTO #__akocomment SET contentid='$contentid',
ip='$ip', name='$acname', title='$title', comment='$comment',
date='$date', published='$ac_autopublish';";
    $database->setQuery( $query2 );
    $database->query();

While the user provided comment and comment title is properly
sanitized, the client provided $acname and $contentid are not. These
correspond to hidden, value-prefilled FORM variables in the akocomment
created html form.

It is widely known that just because the values are hidden and not
changeable in a standard web browser doesn't mean they are not client
provided and thus aren't trivially modified.

Since the variables are not sanitized in any way the SQL injection
itself is straight-forward, provided magic_quotes_gpc = off.

Solution:

To fix this vulnerability put the following lines before the "#
Perform database query" line:
    $contentid = intval(strip_tags($contentid));
    $acname = mysql_escape_string(strip_tags($acname));

--
Stefan Keller <skeller@pobox.com>
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • AkoComment SQL injection vulnerability, Stefan Keller <=
Previous by Date:  HPSBUX02108 SSRT061133 rev.1 - HP-UX Sendmail, Remote Execution, Security Alert
Next by Date:  SQL injection in VGM Forbin., mfoxhacker
Previous by Thread:  HPSBUX02108 SSRT061133 rev.1 - HP-UX Sendmail, Remote Execution, Security Alert
Next by Thread:  SQL injection in VGM Forbin., mfoxhacker
Indexes:  [Date] [Thread] [Top] [All Lists]