Please login or register.

Login with username, password and session length
Advanced search  

News:

You need/want an older version of sNews ? Download an older/unsupported version here.

Author Topic: SQL injection vulnerability  (Read 332 times)

bobcat

  • Jr. Member
  • **
  • Karma: 1
  • Posts: 67
    • ESL Jobs by Country
SQL injection vulnerability
« on: February 05, 2013, 12:10:36 PM »

Just stumbled across this: http://packetstormsecurity.com/files/119573/Snews-CMS-SQL-Injection.html

Code: [Select]
# Exploit Title : CMS snews SQL Injection Vulnerability
# Author        : By onestree
# Software Link : http://snewscms.com/
# tested        : ubuntu 12.10 / win 7
# Dork          : inurl:"tanyakan pada rumput yang bergoyang"
*************************************************************

SQL poc:
http://localhost/snews/snews.php?act=shownews&id=[SQL]

Example:
http://localhost/snews/snews.php?act=shownews&id=-23/**/union/**/select/**/0,1,concat(user_name,char(32),user_pass),3,4,5,6/**/from/**/snews_user/**/where/**/id%20like%201/*


What versions of snews is at risk of this? Is there a fix for this?

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: SQL injection vulnerability
« Reply #1 on: February 05, 2013, 12:23:44 PM »

What is it supposed to do? Has the original user been able to successfully do anything with it? I've run both quoted strings in my localhost and can't see any results at all (but I'm no hacker and don't know what I'm expected to see...)

A simple "fix" against this particular hack, going by the url's in the quoted strings, is to change your snews.php filename to something other than snews.php.

That said, as the hack is presented I can't really see that it succeeds in doing anything. Just don't take my word for it.
Logged

bobcat

  • Jr. Member
  • **
  • Karma: 1
  • Posts: 67
    • ESL Jobs by Country
Re: SQL injection vulnerability
« Reply #2 on: February 05, 2013, 03:58:13 PM »

What is it supposed to do? Has the original user been able to successfully do anything with it? I've run both quoted strings in my localhost and can't see any results at all (but I'm no hacker and don't know what I'm expected to see...)

A simple "fix" against this particular hack, going by the url's in the quoted strings, is to change your snews.php filename to something other than snews.php.

That said, as the hack is presented I can't really see that it succeeds in doing anything. Just don't take my word for it.

I'm not too sure, but seeing as its a sql injection, i assume that the above query will probably be able to insert a new admin user and password into the mysql database, and allow the hacker access to your site.

never seen the quoted: snews.php?act=shownews, so not too sure what version of snews.php

Would be good to hear from anyone more familiar with the code, and whether this is anything to worry about.

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: SQL injection vulnerability
« Reply #3 on: February 05, 2013, 05:26:32 PM »

This: "?act=shownews" does not exist in sNews 1.7, as far as I know. System/admin action urls are different than that.
Haven't checked but I don't think it exists in 1.6 either.

In my local test, the string in the hack did nothing to the db, certainly didn't allow access to or show the admin user/pass details. I haven't tried it on any live site but I don't see that it would produce different results. In fact, removing snews.php from the string makes no change, it produces no visible result at all.
Logged

nukpana

  • Hero Member
  • *****
  • Karma: 71
  • Posts: 663
Re: SQL injection vulnerability
« Reply #4 on: February 06, 2013, 11:57:01 AM »

This: "?act=shownews" does not exist in sNews 1.7, as far as I know. System/admin action urls are different than that.
Haven't checked but I don't think it exists in 1.6 either.
No, and I don't believe it ever did in any version.  sNews doesn't use $_GET['act'], it uses $_GET['action'].  Also, shownews sounds like a module to a system - not sNews. Also, SU sNews has the user/password in the settings, not in a separate table.... though I am unsure about MU versions.
Logged

sibas

  • Sr. Member
  • ****
  • Karma: 23
  • Posts: 451
    • www.simply4all.net
Re: SQL injection vulnerability
« Reply #5 on: February 06, 2013, 04:08:47 PM »

Let me think a bit loud
By calling /snews.php seems like does nothing, you see only an empty page,
but the truth is,  is working, just no function have ask it to execute!!
If someone who knows how to do make it work maybe is possible to execute some evil script.
My idea to make more secure is to find some way just not calling directly /snews.php   :-\
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
Re: SQL injection vulnerability
« Reply #6 on: February 06, 2013, 04:20:20 PM »

SU sNews has the user/password in the settings, not in a separate table.... though I am unsure about MU versions.

Neither act= or shownews exist anywhere in the sNews 17MU scripts.

Also notice that the exploit script provided by bobcat is written to access the user_name and user_pass values in the snews_user d-base table... those values and table-name are not used in the 1.6 and 1.7 MU packages I've been using all these years.
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
Re: SQL injection vulnerability
« Reply #7 on: February 06, 2013, 04:28:57 PM »

Let me think a bit loud
By calling /snews.php seems like does nothing, you see only an empty page,
but the truth is,  is working, just no function have ask it to execute!!
If someone who knows how to do make it work maybe is possible to execute some evil script.
My idea to make more secure is to find some way just not calling directly /snews.php   :-\

Yes... if the 'evil script' was being executed successfully, you would not know it while executing it. But, the way the exploit script bobcat provided is written, it would not execute anyway because the values and table-name in the script line don't exist in MU versions of sNews 1.6 or 1.7 and the username/password are not stored in a users d-base table in the single-user versions.

Also, to access and alter a d-base table, the hacker's script would need to be able to access the d-base password and username in order to get into the d-base... the exploit script bobcat provided doesn't do that either.

The easiest way to stop anyone from calling snews.php is to change the name of the file to something obscure... something no one would think of using. For example, you could change the name of the file to nincompoop.php or sillymander.php and call it by that name in which ever file you were calling the snews.php file in.
« Last Edit: February 06, 2013, 04:32:36 PM by Keyrocks »
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: SQL injection vulnerability
« Reply #8 on: February 06, 2013, 09:46:03 PM »

Let me think a bit loud
By calling /snews.php seems like does nothing, you see only an empty page,
but the truth is,  is working, just no function have ask it to execute!!
If someone who knows how to do make it work maybe is possible to execute some evil script.
My idea to make more secure is to find some way just not calling directly /snews.php   :-\

It's simple, as I and Key's have already said: name your snews.php file something else and any script looking for snews.php will fall flat on its face. That's not the issue with the hack though. As nukpana and Keyrocks has pointed out, and as I tried to say before: the details of the published hack have no corresponding elements in either snews.php or the snews database, nor any existing function in snews.php that calls these elements (which is partly why the hack doesn't execute anything). This should, as far as we know, apply to sNews 1.6 and 1.7. Not sure what more assurances you want.

I would personally like to see the person who published the so-called hack come here and explain a) what it thinks the hack accomplishes and b) prove that the hack actually does something. And if it really does something, c) provide insight to how that could be prevented. So far I've seen no proof. And I'm not holding my breath.
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
Re: SQL injection vulnerability
« Reply #9 on: February 07, 2013, 04:09:33 AM »

I would personally like to see the person who published the so-called hack come here and explain a) what it thinks the hack accomplishes and b) prove that the hack actually does something. And if it really does something, c) provide insight to how that could be prevented. So far I've seen no proof. And I'm not holding my breath.

Same from me. In fact, I suspect that the "exploit" report is fictitious... phoney... probably posted by someone who doesn't like sNews and who wants to scare people away from using sNews. And we know there are a few developers out there in la-la-land that want to discredit sNews all they can for their own personal gain.  :o
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

sibas

  • Sr. Member
  • ****
  • Karma: 23
  • Posts: 451
    • www.simply4all.net
Re: SQL injection vulnerability
« Reply #10 on: February 07, 2013, 11:36:05 AM »

In this world nothing is perfect, and obviously they are some stupid guys out there.

Call me paranoid but I know that is quite easy to find names and files of the directory that host your site,
scripts to do those scan you can find all over in internet.

What I say is just to add some solutions for all people who are paranoid like me.  ::)
Is not necessary to happen an exploit and after we try to add security measures.

Personal (the last months) I use those security layers for some of my sites, dependent of the work I need to do.

   1)   Add snews out of the public_html or www call it like include ‘../snews.php’
   2)   Add snews to a different folder and place htaccess to deny from all
   3)   Add php code to deny direct call of the script (not real protection but helps for some scriptkids)

Of course the best security is to sanitize all the / inputs / post / get / where the default snews1.7 is quite OK as far I know.  :)
Logged

lebohang

  • Newbie
  • *
  • Karma: 1
  • Posts: 14
Re: SQL injection vulnerability
« Reply #11 on: March 07, 2013, 01:25:18 PM »

I would personally like to see the person who published the so-called hack come here and explain a) what it thinks the hack accomplishes and b) prove that the hack actually does something. And if it really does something, c) provide insight to how that could be prevented. So far I've seen no proof. And I'm not holding my breath.

Same from me. In fact, I suspect that the "exploit" report is fictitious... phoney... probably posted by someone who doesn't like sNews and who wants to scare people away from using sNews. And we know there are a few developers out there in la-la-land that want to discredit sNews all they can for their own personal gain.  :o

I think it is fitting exploit... I tried the code but it did not result in any (sNews 1.7) No need to fear :)

Thanks...
Logged