Free Open-source album piwio & amp; lt; = v2.7.1 SQL Injection Vulnerability Analysis

Free Open-source album piwio & lt; = v2.7.1 SQL Injection Vulnerability Analysis

Some time ago, a piwio <= 2.6.0sql injection vulnerability exists in the free open-source album piwiopwio. When the vulnerability was announced, piwio was updated to 2.7.1. However, the vulnerability was published on a real 0-day basis, affecting the entire piwigo version.

The following is a test record on the official website:

Communicate with piwio authors to learn about the vulnerability and think it has been fixed. After providing them with more details and proofs, piwigo soon released the new version.

Vulnerability Analysis

The vulnerability analysis looks simple because the rate_picture function in the functions_rate.inc.php file does not filter the passed $ rate variable and is directly spliced into SQL for execution. The Code is as follows:

 

Why is this simple problem not found by piwigo and I think this vulnerability has been fixed. The key lies in the fact that there is a filter for the $ rate variable starting with the rate_picture function. As follows:

 

Determine whether $ rate is an item of $ conf ['rate _ items. The values of the following array are written to the configuration file.

It seems that the function of this sentence is to set a rate variable whitelist. It can only be one of 0, 1, 2, 3, 4, 5. This should be safe. Of course, it turns out that writing like this is not safe. When $ rate = "5 'aaaaaaaaaaaaaaaaa", in_array ($ rate, $ conf ['rate _ items ']) returns True. This is a feature for comparing different types of variables in php. For more information about the features of php comparison operators, see here.

In short, when the string is compared with the integer variable "=", the string is converted to an integer before comparison.

Tests show that the logic of the in_array method is the same as that of "=.

 

Therefore, using this feature is equivalent to full bypass in_array filtering. You can input arbitrary data and splice it into an SQL statement, as long as it starts with a number in the array. In addition, the switch in php also has similar features.

 

Vulnerability repair

Upgrade the version. In the new version of the official website, I used regular expressions to judge $ rate again. Only numbers are allowed. In other words, Chinese programs generally use intval.