SQL Injection Flaw in FanUpdate

A security issue has come to light in FanUpdate (2.2.1 specifically but likely affects previous versions). This only affects those who are still running with register_globals turned on (a very bad idea).

The problem — for those interested — lies in show-cat.php relying on an unsanitised $listingid. In an ideal world, show-cat.php should only be called by the script from another page where you define $listingid first. However, because there’s nothing stopping direct loading of the file itself, show-cat.php can be accessed (on a server with register_globals on) with a malicious SQL query in the URL.

Quick Fix

Open show-cat.php and change: if (!isset($listingid)) { exit; }

to: if (!isset($listingid) && !is_numeric($listingid)) { exit; }

then change: $query = "SELECT * FROM ".$fu->getOpt('catoptions_table')." WHERE cat_id=$listingid LIMIT 1";

to: $query = "SELECT * FROM ".$fu->getOpt('catoptions_table')." WHERE cat_id=".(int)$listingid." LIMIT 1";

Important note: I am not responsible for any damage incurred by running this fix. I do not have any responsibility over FanUpdate. (Blah blah blah.) I’m only posting this because I know Jenny doesn’t maintain the script now.

11 comments so far

  1. Jessica said:
    On 24 Sep at 11:34 am

    Thanks for letting us know, Jem! Your fix works like a charm. :)

  2. Vera said:
    On 24 Sep at 11:56 am

    Just you wait, now you'll be accused of being anti FanUpdate as well, and a WP-junkie :P

    Yes… I have too much free time.

  3. Jem said:
    On 24 Sep at 12:02 pm

    I am innocent :P I didn't discover the flaw this time. In fact, when I'd previously checked FanUpdate I missed this!

  4. Nyx said:
    On 24 Sep at 3:37 pm

    Since when I tried to turn register_globals off with .htaccess is threw up a 500 error, thanks so much for the fix Jem.

  5. Mumblies said:
    On 24 Sep at 4:10 pm

    Meh! Give me heart failure why dontcha? Thought your site was broke for a second there lol.

  6. Kitty said:
    On 25 Sep at 4:16 am

    Thanks for the fix Jem. I'll be sure to take note of that.

  7. Jordan said:
    On 25 Sep at 6:06 pm

    I had meant to email this to you on the 22nd I think (it was being posted on Twitter via bots which is how I noticed) but truthfully I figured with everything else on your plate it would be the last thing you'd look it :P

  8. Jem said:
    On 25 Sep at 7:02 pm

    TBH I only looked because I initially thought it was wrong – I went over FanUpdate previously and hadn't spotted any security issues. I was pissed at myself for missing such an obvious one.

  9. Anthony said:
    On 26 Sep at 8:06 am

    SUPER JEM TO THE RESCUE!

  10. Julia said:
    On 26 Sep at 3:26 pm

    Thanks Jem for FanUpdate update :P