SQL Injection Flaw in FanUpdate

A security issue has come to light in FanUpdate (2.2.1 specifically but likely affects previous versions). This only affects those who are still running with register_globals turned on (a very bad idea).

The problem — for those interested — lies in show-cat.php relying on an unsanitised $listingid. In an ideal world, show-cat.php should only be called by the script from another page where you define $listingid first. However, because there’s nothing stopping direct loading of the file itself, show-cat.php can be accessed (on a server with register_globals on) with a malicious SQL query in the URL.

Quick Fix

Open show-cat.php and change: if (!isset($listingid)) { exit; }

to: if (!isset($listingid) && !is_numeric($listingid)) { exit; }

then change: $query = "SELECT * FROM ".$fu->getOpt('catoptions_table')." WHERE cat_id=$listingid LIMIT 1";

to: $query = "SELECT * FROM ".$fu->getOpt('catoptions_table')." WHERE cat_id=".(int)$listingid." LIMIT 1";

Important note: I am not responsible for any damage incurred by running this fix. I do not have any responsibility over FanUpdate. (Blah blah blah.) I’m only posting this because I know Jenny doesn’t maintain the script now.

Jem Turner jem@jemjabella.co.uk +44(0)7521056376

11 comments so far

  1. Vera said:

    Just you wait, now you'll be accused of being anti FanUpdate as well, and a WP-junkie :P

    Yes… I have too much free time.

  2. Jem said:

    I am innocent :P I didn't discover the flaw this time. In fact, when I'd previously checked FanUpdate I missed this!

  3. Nyx said:

    Since when I tried to turn register_globals off with .htaccess is threw up a 500 error, thanks so much for the fix Jem.

  4. Mumblies said:

    Meh! Give me heart failure why dontcha? Thought your site was broke for a second there lol.

  5. Jordan said:

    I had meant to email this to you on the 22nd I think (it was being posted on Twitter via bots which is how I noticed) but truthfully I figured with everything else on your plate it would be the last thing you'd look it :P

  6. Jem said:

    TBH I only looked because I initially thought it was wrong – I went over FanUpdate previously and hadn't spotted any security issues. I was pissed at myself for missing such an obvious one.