AppSec Blog

Spot the Vuln - Third - SQL Injection


Affected Software: Ninja Announcements

Fixed in Version: 1.3

Issue Type: SQL Injection

Original Code: Found Here


Lots of potential issues here, but we'll focus on what was patched. Here we have a basic SQL injection vulnerability. The bug is the most simple example of tracing a variable from assignment to usage. On line 54, the $ninja_annc_id is assigned a value directly from the user/attacker controlled $_REQUEST[?ninja_annc_id']. The very next line, the developer uses the tainted $ninja_annc_id to string build a SQL statement.
The developers addressed this issue by moving the dynamic SQL statement to a prepared SQL statement. Prepared statements are the preferred method for dealing with SQL requests that could potentially contain tainted values.

Developers Solution

insert( $ninja_annc_table_name, array( 'begindate' => $ninja_annc_begindate, 'enddate' => $ninja_annc_enddate, 'message' => $ninja_annc_message, 'active' => '0', 'location' => $ninja_annc_location ) ); }else{ $wpdb->update( $ninja_annc_table_name, array( 'begindate' => $ninja_annc_begindate, 'enddate' => $ninja_annc_enddate, 'message' => $ninja_annc_message, 'location' => $ninja_annc_location ), array( 'id' => $ninja_annc_id )); } echo "window.location = '".$admin_url."'"; } // END submit handling if() //This if...else() statement handles the nuts and bolts of our html output. //Eventually it will be replaced by a switch(). //Flow goes: Edit Announcement? -> New Announcement? -> Table. //This part of our If...else statement creates the editing HTML if($_REQUEST['action'] == 'edit') { //BEGIN edit handling if() $ninja_annc_id = $_REQUEST['ninja_annc_id']; -$ninja_annc_row = $wpdb->get_row("SELECT * FROM $ninja_annc_table_name WHERE id = $ninja_annc_id", ARRAY_A); +$ninja_annc_row = $wpdb->get_row( +$wpdb->prepare( "SELECT * FROM $ninja_annc_table_name WHERE id = %d", $ninja_annc_id), ARRAY_A); $ninja_annc_id = $ninja_annc_row['id']; $ninja_annc_location = $ninja_annc_row['location']; $ninja_annc_message = stripslashes($ninja_annc_row['message']); $ninja_annc_begin = $ninja_annc_row['begindate']; $ninja_annc_end = $ninja_annc_row['enddate']; $rightnow = current_time("timestamp"); if($ninja_annc_end != 0){ $ninja_annc_begindate = date("m/d/Y", $ninja_annc_begin); $ninja_annc_begintimehr = date("g", $ninja_annc_begin); $ninja_annc_begintimemin = date("i", $ninja_annc_begin); $ninja_annc_begintimeampm = date("a", $ninja_annc_begin); $ninja_annc_enddate = date("m/d/Y", $ninja_annc_end); $ninja_annc_endtimehr = date("g", $ninja_annc_end); $ninja_annc_endtimemin = date("i", $ninja_annc_end); $ninja_annc_endtimeampm = date("a", $ninja_annc_end); }else{ $ninja_annc_ignore = 1; $ninja_annc_begindate = date("m/d/Y", $rightnow); $ninja_annc_enddate = date("m/d/Y", $rightnow); } //$ninja_annc_begindate = $ninja_annc_begindate.' '.$ninja_annc_begintimehr.':'.$ninja_annc_begintimemin.$ninja_annc_begintimeampm; //echo $ninja_annc_begindate; wp_tiny_mce( false, // true makes the editor "teeny" array( "theme_advanced_path" => false ) ); wp_tiny_mce_preload_dialogs(); ?>

Edit Announcement - ID:

<input type="hidden" name="ninja_annc_id" value=""> Ignore Dates: <input type="checkbox" name="ignoredates" id="ignoredates" value="checked" > Begin Date: <input type="text" class="date" name="begindate" id="begindate" value="" > Time: <select name="begintimehr" id="begintimehr" class="time" > <?php $x = 1; while($x <= 12){ echo "<option"; if($x $x"; $x++; } ?> ...snip... ?>

Post a Comment


* Indicates a required field.