Xoops SQL fragment disclosure and SQL injection vulnerability

From: Cabezon Aurélien (aurelien.cabezonat_private)
Date: Tue Jan 29 2002 - 08:03:32 PST

  • Next message: William D. Colburn (aka Schlake): "Re: [VulnWatch] sastcpd Buffer Overflow and Format String Vulnerabilities" 

    -- [ Xoops SQL fragment disclose and SQL injection vulnerability ] --

Discovered on 27/01/2002
Vendor: http://xoops.sourceforge.net

-- [ Overview ] --

XOOPS is an open source portal script written extensively in object-oriented
PHP. Backed with MySQL Database.
There is 2 security issues :

- Xoops disclose SQL query.
- Xoops allow remote user to SQL query injection.

-- [ Description ] --

The userinfo.php script does not check for special meta-characters in user's
inputs

It is possible to make it crash using this kind of query :
http://xoops-site/userinfo.php?uid=1;

then it gives you this error report :

-snip-
MySQL Query Error: SELECT u.*, s.* FROM x_users u, x_users_status s WHERE
u.uid=1; AND u.uid=s.uid
Error number:1064
Error message: You have an error in your SQL syntax near '; AND u.uid=s.uid'
at line 1
ERROR
-snip-

It dicloses many informations that help to SQL injection attack...
Such as http://xoops-site/userinfo.php?uid=1[SQL Query]

More about SQL injection
http://www.owasp.org/projects/asac/iv-sqlinjection.shtml

No exploit is given, but it was successfully tested.
Xoops team has been alerted.

-- [ Tested Version ] --

Xoops RC1

-- [ Discovered by ] --

Cabezon Aurelien | aurelien.cabezonat_private
http://www.iSecureLabs.com | French Security portal

    This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 09:53:53 PST