Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » WebChat for XOOPS RC3 SQL INJECTION

WebChat for XOOPS RC3 SQL INJECTION

by Nikola Strahija on November 12th, 2002 Text available at http://www.phpsecure.org/tutos/webchat.1-5.xoops.rc3.sql.injection.txt Patch available on phpsecure.org


XOOPS RC3 WebChat Module SQL Injection

Tested with : Xoops RC3
WebChat 1-5
Author : val2 - phpsecure.org for more info and ~patchs~


Lines 291-299 from modules/WebChat/index.php :

if(isset($roomid)) {
if($xoopsUser) {
$wcusername = $xoopsUser->getVar("uname", "E");
$uid = $xoopsUser->getVar("uid", "E");
}
join_room($roomid,$pass,$wcusername,$uid); /* <- calling joinroom function with param $roomid */
} else {
disp_index($errmsg);
}

Lines 204-208 :
function join_room($roomid,$pass,$username,$uid) {
global $xoopsDB, $xoopsUser, $xoopsConfig, $ModName, $user, $sitename, $pnconfig, $language, $usertime;
unset($errmsg);
$sql = "SELECT rid, name, typ, pass, descript FROM ".$xoopsDB->prefix("chatroom")." WHERE rid = $roomid";
$row = mysql_fetch_array(mysql_query($sql));
[...]


PROBLEM :
$roomid id is included whitout verification.

PATCH :
add this line a the beginning of index.php or download PATCH from phpsecure.org :
$roomid = addslashes($roomid);
If you're paranoiac, shutdown your box and wait for an official release ;)

EXPLOIT :
You're a PHP/SQL g00r00, you don't need an exploit :p


MORE PATCHS !
www.phpsecure.org

MORE HOLES !
www.phpsecure.org


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »