PhpDenora & lt; = 1.4.6 Multiple SQL Injection defects and repair

Title: phpDenora <= 1.4.6 Multiple SQL Injection Vulnerabilities
Author: P. de Brouwer-KnickLighter
Design Software: phpDenora <= 1.4.6
Http://sourceforge.net/projects/phpdenora/files/phpDenora/1.4.6/
Developer Denorastats
 
+ -- = [0x01-Program Overview
PhpDenora is the Web Frontend to the Denora Stats Server and
Provides a complete, nice looking and solid Interface featu-
Ring detailed network, channel and user statistics, graphic-
Al outputs, multilanguage and template systems, all by foll-
Owing modern web standards.
+ -- = [0x02-defect description
In this software, there are multiple SQL Injection vulnerab-
Ilities in the file "line. php". Although the variables seem
To be partially filtered with the use of htmlspecialchars (),
Practice has proven that these parts are vulnerable.
+ -- = [0x03-Impact
The impact of this vulnerability www.2cto.com shocould be considered a high
Risk as attackers have the ability to manipulate the databa-
Se and eventually take over the machine that is running this
Software.
+ -- = [0x04-Affected Version
Although there was a security release of the software on
13 th of December in 2011, there were no vulnerability detai-
Ls disclosed on the website of the vendor. Supposedly all v-
Ersions up to 1.4.6 are considered to be vulnerable as
Issues have been fixed in version 1.4.7.
 
+ -- = [0x06-proof of test (PoC)
Here is a part of the code (line 74-81 ):
// Get start date
$ Start ['Year'] = isset ($ _ GET ['sy '])? Htmlspecialchars ($ _ GET ['sy ']): date ('y ');
$ Start ['month'] = isset ($ _ GET ['sm '])? Htmlspecialchars ($ _ GET ['sm ']): date ('M ');
$ Start ['day'] = isset ($ _ GET ['sd'])? Htmlspecialchars ($ _ GET ['sd']): date ('D ');
// Get end date
$ End ['Year'] = isset ($ _ GET ['key'])? Htmlspecialchars ($ _ GET ['E']): date ('y ');
$ End ['month'] = isset ($ _ GET ['em '])? Htmlspecialchars ($ _ GET ['em ']): date ('M ');
$ End ['day'] = isset ($ _ GET ['ed'])? Htmlspecialchars ($ _ GET ['ed']): date ('D ');
The injections, according to the code start at lines 216 and
218:
$ Sidq = SQL _query ("SELECT 'id' FROM $ table WHERE year = '". $ start ['Year']. "'
AND month = '". $ start ['month']."' AND day = '". $ start ['day']."' ");
$ Eidq = SQL _query ("SELECT 'id' FROM $ table WHERE year = '". $ end ['Year']. "'
AND month = '". $ end ['month']."' AND day = '". $ end ['day']."' ");
The result of the injected statements wowould eventually be r-
Eturned to the user whithin a PNG image.
The file that contains the vulnerabilities is located whith-
In the phpDenora folder:
/Libs/phpdenora/graphs/line. php
An attacker cocould abuse this vulnerability by using Ming
Injection like the following:
Http://www.bkjia.com/phpdenora/libs/phpdenora/graphs/line. php?
Sm = 2 & em = 11 & e= 2011 & size = small & sd = 6 & theme = futura & lang = tr
& Mode = servers & sy = 2011 & ed = [SQLi]
 
 
Www.2cto.com: Fixed Filtering