Free Open-source album piwio & amp; lt; = v2.7.1 SQL Injection Vulnerability Analysis

Source: Internet
Author: User

Free Open-source album piwio & lt; = v2.7.1 SQL Injection Vulnerability Analysis

Some time ago, a piwio <= 2.6.0sql injection vulnerability exists in the free open-source album piwiopwio. When the vulnerability was announced, piwio was updated to 2.7.1. However, the vulnerability was published on a real 0-day basis, affecting the entire piwigo version.

The following is a test record on the official website:

Communicate with piwio authors to learn about the vulnerability and think it has been fixed. After providing them with more details and proofs, piwigo soon released the new version.

Vulnerability Analysis

The vulnerability analysis looks simple because the rate_picture function in the functions_rate.inc.php file does not filter the passed $ rate variable and is directly spliced into SQL for execution. The Code is as follows:

 

Why is this simple problem not found by piwigo and I think this vulnerability has been fixed. The key lies in the fact that there is a filter for the $ rate variable starting with the rate_picture function. As follows:

 

Determine whether $ rate is an item of $ conf ['rate _ items. The values of the following array are written to the configuration file.

It seems that the function of this sentence is to set a rate variable whitelist. It can only be one of 0, 1, 2, 3, 4, 5. This should be safe. Of course, it turns out that writing like this is not safe. When $ rate = "5 'aaaaaaaaaaaaaaaaa", in_array ($ rate, $ conf ['rate _ items ']) returns True. This is a feature for comparing different types of variables in php. For more information about the features of php comparison operators, see here.

In short, when the string is compared with the integer variable "=", the string is converted to an integer before comparison.

Tests show that the logic of the in_array method is the same as that of "=.

 

Therefore, using this feature is equivalent to full bypass in_array filtering. You can input arbitrary data and splice it into an SQL statement, as long as it starts with a number in the array. In addition, the switch in php also has similar features.

 

Vulnerability repair

Upgrade the version. In the new version of the official website, I used regular expressions to judge $ rate again. Only numbers are allowed. In other words, Chinese programs generally use intval.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.