Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest sNews - sNews 1.7 - with its own forums - for discussion and user mods.

Author Topic: Search results - sql injection?  (Read 3211 times)

emailoo

  • Newbie
  • *
  • Karma: 3
  • Posts: 36
Search results - sql injection?
« on: November 01, 2008, 01:31:17 pm »

   
Hello,
I noticed a problem with the search engine, simply type simple words.

Please check your typing http://1.hekko.pl/snews/ to search for example: snews a word
or even a simple attack: 'or 1 = 1 =


 Search results:

Search results
SELECT a.id FROM articles AS a LEFT OUTER JOIN categories as c ON category = c.id AND c.published ='YES' LEFT OUTER JOIN categories as x ON c.subcat = x.id AND x.published ='YES' WHERE position != 2 AND a.published = 1 AND a.visible = 'YES' AND (title LIKE "%\'or%" || text LIKE "%\'or%" || keywords_meta LIKE "%\'or%") && (title LIKE "%1%" || text LIKE "%1%" || keywords_meta LIKE "%1%") && (title LIKE "%=%" || text LIKE "%=%" || keywords_meta LIKE "%=%") &&(title LIKE "%1%" || text LIKE "%1%" || keywords_meta LIKE "%1%")

In version 1.6, this problem does not occur.

Yours, emailoo
« Last Edit: November 01, 2008, 01:36:07 pm by emailoo »
Logged

Rui Mendes

  • Development,Testing, Support
  • Hero Member
  • *****
  • Karma: 195
  • Posts: 1009
  • sNews1.7
    • Comunidade Portuguesa
Re: Search results - sql injection?
« Reply #1 on: November 01, 2008, 01:55:54 pm »

Sorry we forgot to erase one line in function search($limit = 20) {

Find this line, and erase red text
Quote
keywords_meta LIKE "%'.$keywords[$j].'%")'; echo $query;
Logged
Need a Job on Europe. Linkdin - Facebook / Group

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Re: Search results - sql injection?
« Reply #2 on: November 01, 2008, 02:00:24 pm »

line 1332
remove
 echo $query;

( a left over from testing that obviously wasn't removed :| )

download will be updated...
Logged
Of all the things I have lost, it is my mind that I miss the most.

emailoo

  • Newbie
  • *
  • Karma: 3
  • Posts: 36
Re: Search results - sql injection?
« Reply #3 on: November 01, 2008, 02:07:36 pm »

   
OK, thank you

And if good is to improve?:
As additional security (gain)

line 1304

Before: $search_query = clean(cleanXSS($_POST['search_query']));

After: $search_query = htmlspecialchars(strip_tags(clean(cleanXSS($_POST['search_query']))));



???

   
« Last Edit: November 01, 2008, 02:13:27 pm by emailoo »
Logged

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Re: Search results - sql injection?
« Reply #4 on: November 01, 2008, 02:14:22 pm »

is there something wrong with
function cleanXSS() - line 3403
function clean() - line 3280
Logged
Of all the things I have lost, it is my mind that I miss the most.

emailoo

  • Newbie
  • *
  • Karma: 3
  • Posts: 36
Re: Search results - sql injection?
« Reply #5 on: November 01, 2008, 02:22:18 pm »

is there something wrong with
function cleanXSS() - line 3403
function clean() - line 3280

I did not know that these are no additional functions from PHP.

And if not, you can not enrich? Does it make sense?

--- EDIT ---

It make sense!

---
The original code:
Code: [Select]
$search_query = clean(cleanXSS($_POST['search_query']));
Search:
Code: [Select]
<img src=http:&#47&#47www.lightspeedgalleries.com&#47fg&#47lsg/001&#47images/46.jpg>

Search results:
There are no results for query
Code: [Select]
<img src=http://www.lightspeedgalleries.com/fg/lsg/001/images/46.jpg>.

---
My solution:
Code: [Select]
$search_query = htmlspecialchars(strip_tags(clean(cleanXSS($_POST['search_query']))));
Search:
Code: [Select]
&LT;img src=http:&#47&#47www.lightspeedgalleries.com&#47fg&#47lsg&#47;001&#47images&#47;46.jpg&GT;
Search results:
There are no results for query
Code: [Select]
&LT;img src=http:&#47&#47www.lightspeedgalleries.com&#47fg&#47lsg/001&#47images/46.jpg&GT;.
« Last Edit: November 01, 2008, 02:56:02 pm by emailoo »
Logged

Joost

  • Guest
Re: Search results - sql injection?
« Reply #6 on: November 02, 2008, 02:36:34 am »

@emailoo,

Yes, you can manipulate searchbox input with  numerous functions. However, there's no need to, XSS (cross site scripting) can only take place when the malicious code (vb-script or javascript) is actually inserted into the database. Then, when visitors request an infected page, these scripts do their work on the client-side (the browser). function search does not insert code, it only retrieves matching words from the database.

Sql injection is something to worry about, but that's been taken care for by function clean. Inside function clean there is function mysql_real_escape_string doing the job.
Logged