SQL Injection Flaw in FanUpdate

 |  Geek, PHP

A security issue has come to light in FanUpdate (2.2.1 specifically but likely affects previous versions). This only affects those who are still running with register_globals turned on (a very bad idea).

The problem — for those interested — lies in show-cat.php relying on an unsanitised $listingid. In an ideal world, show-cat.php should only be called by the script from another page where you define $listingid first. However, because there’s nothing stopping direct loading of the file itself, show-cat.php can be accessed (on a server with register_globals on) with a malicious SQL query in the URL.

Quick Fix

Open show-cat.php and change: if (!isset($listingid)) { exit; }

to: if (!isset($listingid) && !is_numeric($listingid)) { exit; }

then change: $query = "SELECT * FROM ".$fu->getOpt('catoptions_table')." WHERE cat_id=$listingid LIMIT 1";

to: $query = "SELECT * FROM ".$fu->getOpt('catoptions_table')." WHERE cat_id=".(int)$listingid." LIMIT 1";

Important note: I am not responsible for any damage incurred by running this fix. I do not have any responsibility over FanUpdate. (Blah blah blah.) I’m only posting this because I know Jenny doesn’t maintain the script now.

Jem Turner jem@jemjabella.co.uk +44(0)7521056376

11 comments so far

  1. Jordan said:

    I had meant to email this to you on the 22nd I think (it was being posted on Twitter via bots which is how I noticed) but truthfully I figured with everything else on your plate it would be the last thing you'd look it :P

  2. Jem said:

    TBH I only looked because I initially thought it was wrong – I went over FanUpdate previously and hadn't spotted any security issues. I was pissed at myself for missing such an obvious one.