Sep24, 2009

SQL Injection Flaw in FanUpdate

A security issue has come to light in FanUpdate (2.2.1 specifically but likely affects previous versions). This only affects those who are still running with register_globals turned on (a very bad idea).

The problem — for those interested — lies in show-cat.php relying on an unsanitised $listingid. In an ideal world, show-cat.php should only be called by the script from another page where you define $listingid first. However, because there's nothing stopping direct loading of the file itself, show-cat.php can be accessed (on a server with register_globals on) with a malicious SQL query in the URL.

Quick Fix

Open show-cat.php and change: if (!isset($listingid)) { exit; }

to: if (!isset($listingid) && !is_numeric($listingid)) { exit; }

then change: $query = "SELECT * FROM ".$fu->getOpt('catoptions_table')." WHERE cat_id=$listingid LIMIT 1";

to: $query = "SELECT * FROM ".$fu->getOpt('catoptions_table')." WHERE cat_id=".(int)$listingid." LIMIT 1";

Important note: I am not responsible for any damage incurred by running this fix. I do not have any responsibility over FanUpdate. (Blah blah blah.) I'm only posting this because I know Jenny doesn't maintain the script now.

11

Tagged , and .

Comments

There are currently 11 approved responses to "SQL Injection Flaw in FanUpdate".

  1. [gravatar]

    Jessica 24/09/09 at 11:34 #

    Thanks for letting us know, Jem! Your fix works like a charm. :)

  2. [gravatar]

    Vera 24/09/09 at 11:56 #

    Just you wait, now you'll be accused of being anti FanUpdate as well, and a WP-junkie :P

    Yes... I have too much free time.

  3. [gravatar]

    Jem 24/09/09 at 12:02 #

    I am innocent :P I didn't discover the flaw this time. In fact, when I'd previously checked FanUpdate I missed this!

  4. [gravatar]

    Nyx 24/09/09 at 15:37 #

    Since when I tried to turn register_globals off with .htaccess is threw up a 500 error, thanks so much for the fix Jem.

  5. Mumblies   24/09/09 at 16:10 #

    Meh! Give me heart failure why dontcha? Thought your site was broke for a second there lol.

  6. [gravatar]

    Kitty 25/09/09 at 04:16 #

    Thanks for the fix Jem. I'll be sure to take note of that.

  7. [gravatar]

    Jordan 25/09/09 at 18:06 #

    I had meant to email this to you on the 22nd I think (it was being posted on Twitter via bots which is how I noticed) but truthfully I figured with everything else on your plate it would be the last thing you'd look it :P

  8. [gravatar]

    Jem 25/09/09 at 19:02 #

    TBH I only looked because I initially thought it was wrong - I went over FanUpdate previously and hadn't spotted any security issues. I was pissed at myself for missing such an obvious one.

  9. [gravatar]

    Anthony 26/09/09 at 08:06 #

    SUPER JEM TO THE RESCUE!

  10. [gravatar]

    Julia 26/09/09 at 15:26 #

    Thanks Jem for FanUpdate update :P

  11. [gravatar]

    FanUpdate Users « Bubble.nu 29/10/09 at 13:12 #

    ...http://jemjabella.co.uk">jemjabella.co.uk has a post on her website on how to fix this problem: jemjabella.co.uk/blog/sql-injection-flaw-in-fanupdate please follow the instructions as she has listed and your website should be free from any risk. Thi...

Comments are closed.