AppSec Blog

Spot the Vuln - Money - SQL Injection

Details

Affected Software: Surfnet IDS

Fixed in Version: 1.03.07

Issue Type: SQL Injection

Original Code: Found Here

Description

There were a couple of SQL injection bugs here. Beginning at line 35, we see that the Surfnet IDS developers have accepted three POST parameters and have assigned tainted values to three different variables: $keyname, $vlanid, $action. $keyname is eventually passed to three different dynamic SQL queries, all of which result in SQL injection. Those queries can be seen on lines 52, 59, and 69. $vlanid is passed to a dynamic SQL query, resulting in SQL injection. This dynamic query can be seen on line 59. Finally, $action is passed to a dynamic SQL statement, resulting in yet another SQL injection bug. This dynamic query can be found on line 69. All of the bugs were straightforward SQL injection bugs and should have been caught early in the dev cycle.

The developers addressed the issue by and/or validating all of the POST parameters before using those values in SQL statements.

Developers Solution

<?php ...snip... include '../include/config.inc.php'; include '../include/connect.inc.php'; include '../include/functions.inc.php'; session_start(); header("Cache-control: private"); if (!isset($_SESSION['s_admin'])) { pg_close($pgconn); $address = getaddress($web_port); header("location: ${address}login.php"); exit; } $s_org = intval($_SESSION['s_org']); $s_admin = intval($_SESSION['s_admin']); $s_access = $_SESSION['s_access']; $s_access_sensor = intval($s_access{0}); if ($s_access_sensor == 0) { $m = 90; pg_close($pgconn); header("location: sensorstatus.php?selview=$selview&m=$m"); exit; } if (isset($_GET['selview'])) { $selview = intval($_GET['selview']); } $error = 0; -$keyname = $_POST['keyname']; -$vlanid = $_POST['vlanid']; -$action = $_POST['action']; -if (isset($_POST[tapip])) { +$keyname = pg_escape_string($_POST['keyname']); +$vlanid = intval($_POST['vlanid']); +$action = pg_escape_string($_POST['action']); +$action_pattern = '/^(NONE|REBOOT|SSHOFF|SSHON|CLIENT|RESTART|BLOCK)$/'; +if (preg_match($action_pattern, $action) != 1) { + $m = 44; + $error = 1; +} + +if (isset($_POST[tapip]) && $error != 1) { $tapip = pg_escape_string(stripinput($_POST[tapip])); if (preg_match($ipregexp, $tapip)) { $sql_checkip = "SELECT tapip FROM sensors WHERE tapip = '$tapip' AND NOT keyname = '$keyname'"; $result_checkip = pg_query($pgconn, $sql_checkip); $checkip = pg_num_rows($result_checkip); if ($checkip > 0) { $m = 101; $error = 1; } else { $sql_updatestatus = "UPDATE sensors SET tapip = '$tapip' WHERE keyname = '$keyname' AND vlanid ='$vlanid'"; $result_updatestatus = pg_query($pgconn, $sql_updatestatus); $m = 7; } } else { $m = 102; $error = 1; } } if ($error == 0) { $sql_updatestatus = "UPDATE sensors SET action = '" .$action. "' WHERE keyname = '$keyname'"; $result_updatestatus = pg_query($pgconn, $sql_updatestatus); $m = 7; } pg_close($pgconn); if ($m != 1) { header("location: sensorstatus.php?selview=$selview&m=$m&key=$keyname"); } else { header("location: sensorstatus.php?selview=$selview&m=$m"); } ?>

Post a Comment






Captcha


* Indicates a required field.