[XBTIT VULNERABILITY] xbtit "uid" Cookie SQL Injection Vulnerability

[Lupin]

A vulnerability has been discovered in xbtit, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via the "uid" cookie to the "userlogin()" function in include/functions.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


very quick and easy fix:
in functions.php find

Code:

 $uid=max(0,$CURUSER['uid']);

replace with

Code:

 $uid=max(1,(int)$CURUSER['uid']);

and replace this string:

Code:

$id = (!isset($_COOKIE['uid']))?1:max(1, $_COOKIE['uid']);

to:

Code:

$id = (!isset($_COOKIE['uid']))?1:max(1, (int)$_COOKIE['uid']);

[locker]

and replace this string:

Code:

$id = (!isset($_COOKIE['uid']))?1:max(1, $_COOKIE['uid']);

to:

Code:

$id = (!isset($_COOKIE['uid']))?1:max(1, (int)$_COOKIE['uid']);

[Peace_Maker]

and replace this string:

Code:

$id = (!isset($_COOKIE['uid']))?1:max(1, $_COOKIE['uid']);

to:

Code:

$id = (!isset($_COOKIE['uid']))?1:max(1, (int)$_COOKIE['uid']);

thanks, but can one of the staff confirm this alteration.

[zooforum]

Lupin, I already did the patch you have above from the announcement on the private forum, but did not see anything like the reply by locker on changing that line in the code.

[Peace_Maker]

one of the fix is to force the variable to be an integer (sine php variable type could be changed on the fly), locker is forcing $_COOKIE['uid'] to be an integer, which wont do any harm (but bring on more protection.

[Lupin]

Confirmed, I asked locker to made the post.

[treat24]

A vulnerability has been discovered in xbtit, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via the "uid" cookie to the "userlogin()" function in include/functions.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


very quick and easy fix:
in functions.php find

Code:

  $uid=max(0,$CURUSER['uid']);

replace with

Code:

  $uid=max(1,(int)$CURUSER['uid']);

thx for fix update.... i cant find the code on functions.php, i even tried searching a piece of the code but nothing

Does it even apply to 1.4.8?

please help

[friendly]

the fix is for xbtit 2.0 m8 it wont affect btit 1.4.8 

[locker]

no, it's affected and to last version of Btit

simple fix like in xBtit

- open include/function.php
- find:

Code:

$id = max(1 ,$_COOKIE["uid"]);

- replace to:

Code:

$id = max(1 ,(int)$_COOKIE["uid"]);

[treat24]

good looking out locker

just got it replaced

Thx

[dadohannibal]

Hi all
I don't have this

Code:

$id = max(1 ,$_COOKIE["uid"]);

I've

Code:

  // guest
    $id = (!isset($_COOKIE['uid']))?1:max(1, $_COOKIE['uid']);

and this

Code:

  if (!isset($_COOKIE['pass'])) $_COOKIE['pass'] = '';
  if (($_COOKIE['pass']!=md5($row['random'].$row['password'].$row['random'])) && $id!=1)

Any help?
Thanks

[locker]

dadohannibal and for others - read this, before asking )
===============================================================
if you have xBtit:

very quick and easy fix:
in functions.php find

Code:

  $uid=max(0,$CURUSER['uid']);

replace with

Code:

  $uid=max(1,(int)$CURUSER['uid']);

and replace this string:

Code:

$id = (!isset($_COOKIE['uid']))?1:max(1, $_COOKIE['uid']);

to:

Code:

$id = (!isset($_COOKIE['uid']))?1:max(1, (int)$_COOKIE['uid']);

===============================================================

if you have Btit:

- open include/function.php
- find:

Code:

$id = max(1 ,$_COOKIE["uid"]);

- replace to:

Code:

$id = max(1 ,(int)$_COOKIE["uid"]);

===============================================================

[dadohannibal]

I've readed all the posts, and I remember $id not $uid.
But no matter
Thanks:)

[BlackDragon]

can we do this change on xbtitFM or not ?

[cdx1]

dont worry about xbtitfm its protected 

can we do this change on xbtitFM or not ?