* *

Author Topic: [XBTIT VULNERABILITY] xbtit "uid" Cookie SQL Injection Vulnerability  (Read 24842 times)

Offline Lupin

  • Administrator
  • Hero Member
  • *****
  • Posts: 10,973
    • http://www.btiteam.org
A vulnerability has been discovered in xbtit, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via the "uid" cookie to the "userlogin()" function in include/functions.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


very quick and easy fix:
in functions.php find
Code: [Select]
 $uid=max(0,$CURUSER['uid']);replace with
Code: [Select]
 $uid=max(1,(int)$CURUSER['uid']);
and replace this string:
Code: [Select]
$id = (!isset($_COOKIE['uid']))?1:max(1, $_COOKIE['uid']);
to:

Code: [Select]
$id = (!isset($_COOKIE['uid']))?1:max(1, (int)$_COOKIE['uid']);
« Last Edit: April 28, 2010, 10:17:05 AM by Lupin »
Please don't PM me about question already asked in forum!

Help or support requested using PM will be billed 50 euros/hour, minimum 1 hour; support on forum is free.

locker

  • Guest
and replace this string:
Code: [Select]
$id = (!isset($_COOKIE['uid']))?1:max(1, $_COOKIE['uid']);
to:

Code: [Select]
$id = (!isset($_COOKIE['uid']))?1:max(1, (int)$_COOKIE['uid']);

Offline Peace_Maker

  • Full Member
  • ***
  • Posts: 164
    • Arabian Open Tracker
and replace this string:
Code: [Select]
$id = (!isset($_COOKIE['uid']))?1:max(1, $_COOKIE['uid']);
to:

Code: [Select]
$id = (!isset($_COOKIE['uid']))?1:max(1, (int)$_COOKIE['uid']);

thanks, but can one of the staff confirm this alteration.

zooforum

  • Guest
Lupin, I already did the patch you have above from the announcement on the private forum, but did not see anything like the reply by locker on changing that line in the code.

Offline Peace_Maker

  • Full Member
  • ***
  • Posts: 164
    • Arabian Open Tracker
XBTIT VULNERABILITY] xbtit "uid" Cookie SQL Injection Vulnerability
« Reply #4 on: April 13, 2010, 12:26:03 AM »
one of the fix is to force the variable to be an integer (sine php variable type could be changed on the fly), locker is forcing $_COOKIE['uid'] to be an integer, which wont do any harm (but bring on more protection.
« Last Edit: April 13, 2010, 12:43:09 AM by Peace_Maker »

Offline Lupin

  • Administrator
  • Hero Member
  • *****
  • Posts: 10,973
    • http://www.btiteam.org
Confirmed, I asked locker to made the post.
Please don't PM me about question already asked in forum!

Help or support requested using PM will be billed 50 euros/hour, minimum 1 hour; support on forum is free.

treat24

  • Guest
A vulnerability has been discovered in xbtit, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed via the "uid" cookie to the "userlogin()" function in include/functions.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


very quick and easy fix:
in functions.php find
Code: [Select]
  $uid=max(0,$CURUSER['uid']);replace with
Code: [Select]
  $uid=max(1,(int)$CURUSER['uid']);


thx for fix update.... i cant find the code on functions.php, i even tried searching a piece of the code but nothing ???

Does it even apply to 1.4.8?

please help

Offline friendly

  • xbtiteam
  • Hero Member
  • ****
  • Posts: 718
    • Friendly Styles
the fix is for xbtit 2.0 m8 it wont affect btit 1.4.8  ;)
(http://friendlystyles.co.uk/)

locker

  • Guest
no, it's affected and to last version of Btit

simple fix like in xBtit

- open include/function.php
- find:
Code: [Select]
$id = max(1 ,$_COOKIE["uid"]);- replace to:
Code: [Select]
$id = max(1 ,(int)$_COOKIE["uid"]);

treat24

  • Guest
good looking out locker :)

just got it replaced

Thx

dadohannibal

  • Guest
Re: [XBTIT VULNERABILITY] xbtit "uid" Cookie SQL Injection Vulnerability
« Reply #10 on: April 18, 2010, 12:32:34 PM »
Hi all
I don't have this
Code: [Select]
$id = max(1 ,$_COOKIE["uid"]);I've
Code: [Select]
  // guest
    $id = (!isset($_COOKIE['uid']))?1:max(1, $_COOKIE['uid']);
and this
Code: [Select]
  if (!isset($_COOKIE['pass'])) $_COOKIE['pass'] = '';
  if (($_COOKIE['pass']!=md5($row['random'].$row['password'].$row['random'])) && $id!=1)

Any help?
Thanks :)

locker

  • Guest
Re: [XBTIT VULNERABILITY] xbtit "uid" Cookie SQL Injection Vulnerability
« Reply #11 on: April 18, 2010, 03:51:51 PM »
dadohannibal and for others - read this, before asking )
===============================================================
if you have xBtit:

very quick and easy fix:
in functions.php find
Code: [Select]
  $uid=max(0,$CURUSER['uid']);replace with
Code: [Select]
  $uid=max(1,(int)$CURUSER['uid']);

and replace this string:
Code: [Select]
$id = (!isset($_COOKIE['uid']))?1:max(1, $_COOKIE['uid']);to:
Code: [Select]
$id = (!isset($_COOKIE['uid']))?1:max(1, (int)$_COOKIE['uid']);

===============================================================

if you have Btit:

- open include/function.php
- find:
Code: [Select]
$id = max(1 ,$_COOKIE["uid"]);- replace to:
Code: [Select]
$id = max(1 ,(int)$_COOKIE["uid"]);

===============================================================

dadohannibal

  • Guest
Re: [XBTIT VULNERABILITY] xbtit "uid" Cookie SQL Injection Vulnerability
« Reply #12 on: April 18, 2010, 04:52:08 PM »
I've readed all the posts, and I remember $id not $uid.
But no matter :)
Thanks:)


Offline BlackDragon

  • Sr. Member
  • ****
  • Posts: 340
  • /!\ Access Denied /!\
    • P2PlaneT.NeT
can we do this change on xbtitFM or not ?

Offline cdx1

  • xbtiteam
  • Hero Member
  • ****
  • Posts: 851
  • RUNNING: Xbitfm V1.12/modded xbt backend
dont worry about xbtitfm its protected  ;)

can we do this change on xbtitFM or not ?

this is for them who steal xbtit private hacks ----> ┌∩┐(◣_◢)┌∩┐


 

Friend site

DPWS Direct