Sep 24 2009

SQL Injection Flaw in FanUpdate

A security issue has come to light in FanUpdate (2.2.1 specifically but likely affects previous versions). This only affects those who are still running with register_globals turned on (a very bad idea).

The problem — for those interested — lies in show-cat.php relying on an unsanitised $listingid. In an ideal world, show-cat.php should only be called by the script from another page where you define $listingid first. However, because there’s nothing stopping direct loading of the file itself, show-cat.php can be accessed (on a server with register_globals on) with a malicious SQL query in the URL.

Quick Fix

Open show-cat.php and change: if (!isset($listingid)) { exit; }

to: if (!isset($listingid) && !is_numeric($listingid)) { exit; }

then change: $query = "SELECT * FROM ".$fu->getOpt('catoptions_table')." WHERE cat_id=$listingid LIMIT 1";

to: $query = "SELECT * FROM ".$fu->getOpt('catoptions_table')." WHERE cat_id=".(int)$listingid." LIMIT 1";

Important note: I am not responsible for any damage incurred by running this fix. I do not have any responsibility over FanUpdate. (Blah blah blah.) I’m only posting this because I know Jenny doesn’t maintain the script now.

11

Tags: , , .

Warning

This post is over 6 months old. This means that, despite my best intentions, it may no longer be accurate. Age, motherhood, experience, loss... these things have all changed me from when this blog was started back in the heady (ha) days of my youth.

As much as I would like to go back and edit 10 years of archives to provide an insight into the 'me' of now — to update coding snippets and revise website advice — it would probably take years to do so (by which point I'd have to start again!) This would defeat the point of keeping these archives anyway.

Please take these posts for what they are: a brief look into my past, my history, my journey.

11 Responses so far

  1. Jessica says: September 24, 2009 at 11:34 am # ·

    Thanks for letting us know, Jem! Your fix works like a charm. :)

  2. Vera says: September 24, 2009 at 11:56 am # ·

    Just you wait, now you'll be accused of being anti FanUpdate as well, and a WP-junkie :P

    Yes… I have too much free time.

  3. Jem says: September 24, 2009 at 12:02 pm # ·

    I am innocent :P I didn't discover the flaw this time. In fact, when I'd previously checked FanUpdate I missed this!

  4. Nyx says: September 24, 2009 at 3:37 pm # ·

    Since when I tried to turn register_globals off with .htaccess is threw up a 500 error, thanks so much for the fix Jem.

  5. Mumblies says: September 24, 2009 at 4:10 pm # ·

    Meh! Give me heart failure why dontcha? Thought your site was broke for a second there lol.

  6. Kitty says: September 25, 2009 at 4:16 am # ·

    Thanks for the fix Jem. I'll be sure to take note of that.

  7. Jordan says: September 25, 2009 at 6:06 pm # ·

    I had meant to email this to you on the 22nd I think (it was being posted on Twitter via bots which is how I noticed) but truthfully I figured with everything else on your plate it would be the last thing you'd look it :P

  8. Jem says: September 25, 2009 at 7:02 pm # ·

    TBH I only looked because I initially thought it was wrong – I went over FanUpdate previously and hadn't spotted any security issues. I was pissed at myself for missing such an obvious one.

  9. Anthony says: September 26, 2009 at 8:06 am # ·

    SUPER JEM TO THE RESCUE!

  10. Julia says: September 26, 2009 at 3:26 pm # ·

    Thanks Jem for FanUpdate update :P