-
AuthorPosts
-
March 12, 2014 at 9:06 am #195709
I have found a place that is vulnerable to a SQL Injection Attack within this plugin. It specifically involves the filename strings not being escaped. This would mean if you name a file with a SQL string you will be able to perform the attack.
I wrote a quick patch file/hack for this here it is:
[PHP]
diff -rupN controllers/localrepo.php controllers/localrepo.php
— controllers/localrepo.php 2013-09-16 01:29:08.000000000 -0400
+++ controllers/localrepo.php 2014-03-12 04:40:42.000000000 -0400
@@ -547,6 +547,7 @@ class jaAmazonS3ControllerLocalrepo exte
*/$filename = substr($file, strlen($basePath));
$filename = jaStorageHelper::cleanPath($filename);
+ $cleanFilename = $db->getEscaped( $filename );
//smushit
$smushed = 0;
@@ -579,7 +580,7 @@ class jaAmazonS3ControllerLocalrepo exte
INSERT INTO `#__jaamazons3_file`SET
bucket_id = ‘{$profile->bucket_id}’,
– path = ‘{$filename}’,
+ path = ‘{$cleanFilename}’,
last_update = ‘{$uploadTimeLog}’,
file_checksum = ‘{$checksum}’,
file_original_checksum = ‘{$checksumOriginal}’,
@@ -616,7 +617,7 @@ class jaAmazonS3ControllerLocalrepo exte
INSERT INTO `#__jaamazons3_file`SET
bucket_id = ‘{$profile->bucket_id}’,
– path = ‘{$filename}’,
+ path = ‘{$cleanFilename}’,
last_update = ‘{$uploadTimeLog}’,
file_checksum = ‘{$checksum}’,
file_original_checksum = ”,
diff -rupN controllers/repo.php controllers/repo.php
— controllers/repo.php 2013-09-16 01:29:08.000000000 -0400
+++ controllers/repo.php 2014-03-12 04:31:39.000000000 -0400
@@ -235,7 +235,7 @@ class jaAmazonS3ControllerRepo extends J
*/$sqlClean = “UPDATE `#__jaamazons3_file` SET `file_exists` = 0 WHERE bucket_id = ‘{$bucket->id}’ AND file_checksum <> ””;
if(!empty($folder)) {
– $updatePath = $folder . ‘/’;
+ $updatePath = $db->getEscaped( $folder . ‘/’ );
$sqlClean .= ” AND INSTR(`path`, ‘{$updatePath}’) = 1″;
}
$db->setQuery($sqlClean);
@@ -245,7 +245,7 @@ class jaAmazonS3ControllerRepo extends J
$sqlLog = array();if(is_array($serverFiles) && count($serverFiles)) {
foreach ($serverFiles as $sfile) {
– $filename = $sfile->Key;
+ $filename = $db->getEscaped( $sfile->Key );
$uploadTimeLog = date(‘Y-m-d H:i:s’, strtotime($sfile->LastModified));
$checksum = str_replace(‘”‘, ”, $sfile->ETag);
$sqlLog[] = “INSERT INTO `#__jaamazons3_file` SET bucket_id = ‘{$bucket->id}’, path = ‘{$filename}’, last_update = ‘{$uploadTimeLog}’, file_checksum = ‘{$checksum}’, `file_exists` = 1 ON DUPLICATE KEY UPDATE last_update = ‘{$uploadTimeLog}’, file_checksum = ‘{$checksum}’, `file_exists` = 1;” . “rn”;
[/PHP]I hope this helps!
Thanh Nguyen Viet FriendThanh Nguyen Viet
- Join date:
- September 2014
- Posts:
- 1461
- Downloads:
- 0
- Uploads:
- 44
- Thanked:
- 258 times in 217 posts
March 17, 2014 at 9:24 am #526929@ phookajoe,
As you can see on the code above, the $filename is cut from $basePath, and the $basePath is got from Sync profile setting, not from user request data, so do not worry about SQL Injection issue in this case.
Anyway, thank you for your attention to make our product better 🙂
March 25, 2014 at 3:23 pm #528066<em>@Dead Code 416634 wrote:</em><blockquote>@ phookajoe,
As you can see on the code above, the $filename is cut from $basePath, and the $basePath is got from Sync profile setting, not from user request data, so do not worry about SQL Injection issue in this case.
Anyway, thank you for your attention to make our product better :)</blockquote>
I disagree… I fixed this code right here to be sanatized (it was very dangerous before!)
$filename = $sfile->Key;
$filename = $db->getEscaped( $sfile->Key );I personally performed the attack from a filename upload, and that’s how I found the issue.
Just want to be clear that this is an actual security issue and not something to ignore.
Thanh Nguyen Viet FriendThanh Nguyen Viet
- Join date:
- September 2014
- Posts:
- 1461
- Downloads:
- 0
- Uploads:
- 44
- Thanked:
- 258 times in 217 posts
March 26, 2014 at 2:15 am #528147Hello,
I have created issue on our issue tracker system and notified to JA Amazon S3 dev team about it, we will try to duplicate this issue on our end and apply your fix.
You can check status of this issue at
pm.joomlart.com/browse/JAECCOMAMAZONJIVI-99Thank you for your contribution.
-
AuthorPosts
This topic contains 4 replies, has 2 voices, and was last updated by Thanh Nguyen Viet 10 years, 9 months ago.
We moved to new unified forum. Please post all new support queries in our New Forum