The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SQL Injection exploit Advanced Guest Book v2.2

Discussion in 'General Discussion' started by kokoman, Aug 1, 2004.

  1. kokoman

    kokoman Active Member

    Joined:
    Nov 28, 2002
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    BA, Argentina
    The AGB 2.2 appears vulnerable to SQL Injection granting the attacker administrator access.

    The attack is very simple and consists of inputting the string detailed below, leaving the username entry blank:

    ') OR ('a' = 'a

    I develop a fix to this issue (other alternative is upgrade to a newest version of AGB), just add the next lines to the file 'admin.php' into the guestbook dir.

    starting from line 9

    --- lines to add are below this line ---

    $verifica = stristr($password," OR ");
    if ($verifica <> FALSE) die ("A volar pancho!");

    --- end

    regards
    Martin
     
  2. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
  3. dlorch

    dlorch Member

    Joined:
    May 12, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    @kokoman

    This won't fix the SQL injection issue, not even the login problen. Try

    ') or ('a' = 'a

    (lowercase "or") and you see what I mean. Here's a patch which fixes the problem by properly escaping the values before passing them on to the SQL query. It also changes the version from 2.2 to 2.2-pl1 (which means "patch level 1").

    Code:
    diff -ur guestbook-dist/lib/session.class.php guestbook/lib/session.class.php
    --- guestbook-dist/lib/session.class.php        Thu Sep  9 10:50:57 2004
    +++ guestbook/lib/session.class.php     Thu Sep  9 11:02:27 2004
    @@ -55,7 +55,10 @@
         }
     
         function checkPass($username,$password) {
    -        $this->query("SELECT ID FROM ".$this->table['auth']." WHERE username='$username' and password=PASSWORD('$password')");
    +        $this->query(sprintf("SELECT ID FROM %s WHERE username='%s' and password=PASSWORD('%s')",
    +          $this->table['auth'],
    +          mysql_escape_string($username),
    +          mysql_escape_string($password)));
             $this->fetch_array($this->result);
             return ($this->record) ? $this->record["ID"] : false;
         }
    diff -ur guestbook-dist/templates/footer.php guestbook/templates/footer.php
    --- guestbook-dist/templates/footer.php Sun Nov  4 00:33:08 2001
    +++ guestbook/templates/footer.php      Thu Sep  9 11:02:56 2004
    @@ -1,4 +1,4 @@
    -<center><font face="Arial, Helvetica, sans-serif" color="#CCCCCC" size="1"><b>Advanced Guestbook 2.2<br>
    +<center><font face="Arial, Helvetica, sans-serif" color="#CCCCCC" size="1"><b>Advanced Guestbook 2.2-pl1<br>
       Powered by PHP &amp; MySQL - <a href="http://www.proxy2.de" target="_blank"><font color="#CCCCCC">http://http://www.proxy2.de</font></a></b></font></center>
     </body>
     </html>
    
     
  4. kokoman

    kokoman Active Member

    Joined:
    Nov 28, 2002
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    BA, Argentina
    Yes, you right.. I forgot to post the final version of the code...

    --- old version
    $verifica = stristr($password," OR ");
    if ($verifica <> FALSE) die ("A volar pancho!");

    --- new version
    if (stristr(strtolower($password), " or ") <> false die ("your own gentle ;) message");

    best regards
     
  5. dlorch

    dlorch Member

    Joined:
    May 12, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    @kokoman

    No offense, but you don't seem to understand the problem. The big issue about this security hole is that you are able to inject any kind of SQL, such as DROP TABLE, DROP DATABASE, DELETE. It's not the administration panel of AGB that worries me most. You can only solve this issue by properly escaping the values entered by the user, as suggested by the patch I provided in the previous posting.
     
  6. kokoman

    kokoman Active Member

    Joined:
    Nov 28, 2002
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    BA, Argentina

    Don´t worry I´m not offended... we are here just to interchange our knows about knowns problems.. right?

    paid attention to the function 'strtolower', that function converts any string to lower case. e.g. 'strtolower("Or") = "or"; strtolower("oR")="or"; strtolower("OR")="or"' as you see, in any case the string will be "or" (in lower case).

    Don´t forget something about the possibility to inject a DROP or DELETE statement by means of the login screen of AGB, that won´t work into a SELECT.
     
  7. cPanelBilly

    cPanelBilly Guest

    That is correct, we recommend all users use the update Advanced Guest Book option in cPanel to update to this version.
    This updated version of Advanced Guest Book has been available for awhile now inside of cpanel.
     
  8. kokoman

    kokoman Active Member

    Joined:
    Nov 28, 2002
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    BA, Argentina
    Well, I never say that I suggest the opposed. But that´s not incorrect... newbie!
     
  9. dlorch

    dlorch Member

    Joined:
    May 12, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    @kokoman

    try this:

    ') || ('a' = 'a
     
  10. laura

    laura Active Member

    Joined:
    Sep 12, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    indonesia
    My AGB is ver 2.2 !
    How to upgrade from Cpanel menu?
    My Cpanel menu cannot found my Advanced Guestbook, so how to upgrade easily?
     
  11. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    cPanel is still installing 2.2! Where can I upgrade to a newer version?


    WHM 9.9.7 cPanel 9.9.8-R5
     
  12. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    It's 2.3.1 on MOST of our servers.
     
  13. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    so there's no way to update? Just hope that it updates itself one day?

    What is this--Microsoft?! :)
     
  14. dlorch

    dlorch Member

    Joined:
    May 12, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Just use the patch!
     
  15. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    Where can I find that patch and where can I apply it so that future installations are the newest version?
     
  16. ThunderHostingDotCom

    ThunderHostingDotCom Well-Known Member

    Joined:
    Nov 18, 2002
    Messages:
    450
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    All over!
    Billy: The function in WHM is great but it is ONLY good for new installs of the guestbook! How do we go about upgrading current versions already installed?

    UPDATE: Since I posted this earlier today I found out that the cPanel install is installing version 2.2 & NOT the newest version! Yes we have the install & update feature checked in WHM. I am going to submit a ticket now. Anyone else have this issue?

     
    #16 ThunderHostingDotCom, Mar 28, 2005
    Last edited: Mar 28, 2005
  17. BubbaGum

    BubbaGum Active Member

    Joined:
    Nov 10, 2004
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Western US
    I was having the same issue with upgrades being behind the current.

    I finally had to uninstall it today as 60 or so folks on ourservices have been compromised with the paypal phishing attack thru the script (uploads php mailer into the templates directory).
     
  18. ThunderHostingDotCom

    ThunderHostingDotCom Well-Known Member

    Joined:
    Nov 18, 2002
    Messages:
    450
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    All over!
    It seems the issue I was having was due to xController not pointing to the correct install of AGB. I have brought this to Kosmo's attention & they said they will be updating it soon. Until then I had to manually upgrade AGB to version 2.3.1.
     
Loading...

Share This Page