Tutorials / Core hacks / Security Fix - Search Plugin SQL Injection
Fix for a SQL injection vulnerability
Author: Kilandor
Submitted by: Kilandor
Date: 2007-11-29 22:07
Comments: (0)
Ratings:
 
There is a SQL injection vulnerability in Seditio search plugin in v121 and earlier. There is an exploit which uses the bug to get Supervisor session. The following conditions should be met for exploit to work:

  • Seditio <= 121 unpatched with Search 2.0.

  • magic_quotes_gpc = Off in php.ini

  • MySQL >= 4.1 (supposed to be fixed in recent >=5.x.x series)



The previous fix spoiled search in concrete sections, so here is the correct fix for the bug.

1. If you have already applied previous fix, revert your search.php back to unfixed state. Open your plugins/search/search.php and do the following:
1.1. Find
PHP Code:

         $sql  = sed_sql_query("SELECT page_id, page_title, page_cat from $db_pages p, $db_structure s
             WHERE (p.page_text LIKE '".sed_sql_prep($sqlsearch)."' OR p.page_title LIKE '".sed_sql_prep($sqlsearch)."'
             OR p.page_desc LIKE '".sed_sql_prep($sqlsearch)."')
             AND p.page_state='0'
             AND p.page_cat=s.structure_code
             AND p.page_cat NOT LIKE 'system'
             ".sed_sql_prep($sqlsections)." ORDER by page_cat ASC, page_title ASC
             LIMIT $cfg_maxitems");

and replace with
PHP Code:

         $sql  = sed_sql_query("SELECT page_id, page_title, page_cat from $db_pages p, $db_structure s
             WHERE (p.page_text LIKE '".sed_sql_prep($sqlsearch)."' OR p.page_title LIKE '".sed_sql_prep($sqlsearch)."'
             OR p.page_desc LIKE '".sed_sql_prep($sqlsearch)."')
             AND p.page_state='0'
             AND p.page_cat=s.structure_code
             AND p.page_cat NOT LIKE 'system'
             $sqlsections ORDER by page_cat ASC, page_title ASC
             LIMIT $cfg_maxitems");

1.2. Find
PHP Code:

        $sql = sed_sql_query("SELECT p.fp_id, t.ft_title, t.ft_id, s.fs_id, s.fs_title, s.fs_category
            FROM $db_forum_posts p, $db_forum_topics t, $db_forum_sections s
            WHERE 1 AND (p.fp_text LIKE '".sed_sql_prep($sqlsearch)."' OR t.ft_title LIKE '".sed_sql_prep($sqlsearch)."')
            AND p.fp_topicid=t.ft_id
            AND p.fp_sectionid=s.fs_id ".sed_sql_prep($sqlsections)."
            GROUP BY t.ft_id ORDER BY fp_id DESC
            LIMIT $cfg_maxitems");

and replace with
PHP Code:

        $sql = sed_sql_query("SELECT p.fp_id, t.ft_title, t.ft_id, s.fs_id, s.fs_title, s.fs_category
            FROM $db_forum_posts p, $db_forum_topics t, $db_forum_sections s
            WHERE 1 AND (p.fp_text LIKE '".sed_sql_prep($sqlsearch)."' OR t.ft_title LIKE '".sed_sql_prep($sqlsearch)."')
            AND p.fp_topicid=t.ft_id
            AND p.fp_sectionid=s.fs_id $sqlsections
            GROUP BY t.ft_id ORDER BY fp_id DESC
            LIMIT $cfg_maxitems");

2. Now you can apply the correct patch. In your plugins/search/search.php:
2.1. Find
PHP Code:

foreach($pag_sub as $i => $k)
   { $sub[] = "page_cat='".$k."'"; }

replace with
PHP Code:

foreach($pag_sub as $i => $k)
   { $sub[] = "page_cat='".sed_sql_prep($k)."'"; }

2.2. Find
PHP Code:

foreach($frm_sub as $i => $k)
   { $sections1[] = "s.fs_id='".$k."'"; }

replace with
PHP Code:

foreach($frm_sub as $i => $k)
   { $sections1[] = "s.fs_id='".sed_sql_prep($k)."'"; }


Updated by Trustmaster
Copyright © 2008 Domain.Com. All Rights Reserved.
Page created in 0.278 seconds