test
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • phookajoe Friend
    #195709

    I have found a place that is vulnerable to a SQL Injection Attack within this plugin. It specifically involves the filename strings not being escaped. This would mean if you name a file with a SQL string you will be able to perform the attack.

    I wrote a quick patch file/hack for this here it is:

    [PHP]
    diff -rupN controllers/localrepo.php controllers/localrepo.php
    — controllers/localrepo.php 2013-09-16 01:29:08.000000000 -0400
    +++ controllers/localrepo.php 2014-03-12 04:40:42.000000000 -0400
    @@ -547,6 +547,7 @@ class jaAmazonS3ControllerLocalrepo exte
    */

    $filename = substr($file, strlen($basePath));

    $filename = jaStorageHelper::cleanPath($filename);

    + $cleanFilename = $db->getEscaped( $filename );

    //smushit

    $smushed = 0;

    @@ -579,7 +580,7 @@ class jaAmazonS3ControllerLocalrepo exte
    INSERT INTO `#__jaamazons3_file`

    SET

    bucket_id = ‘{$profile->bucket_id}’,

    – path = ‘{$filename}’,

    + path = ‘{$cleanFilename}’,

    last_update = ‘{$uploadTimeLog}’,

    file_checksum = ‘{$checksum}’,

    file_original_checksum = ‘{$checksumOriginal}’,

    @@ -616,7 +617,7 @@ class jaAmazonS3ControllerLocalrepo exte
    INSERT INTO `#__jaamazons3_file`

    SET

    bucket_id = ‘{$profile->bucket_id}’,

    – path = ‘{$filename}’,

    + path = ‘{$cleanFilename}’,

    last_update = ‘{$uploadTimeLog}’,

    file_checksum = ‘{$checksum}’,

    file_original_checksum = ”,

    diff -rupN controllers/repo.php controllers/repo.php
    — controllers/repo.php 2013-09-16 01:29:08.000000000 -0400
    +++ controllers/repo.php 2014-03-12 04:31:39.000000000 -0400
    @@ -235,7 +235,7 @@ class jaAmazonS3ControllerRepo extends J
    */

    $sqlClean = “UPDATE `#__jaamazons3_file` SET `file_exists` = 0 WHERE bucket_id = ‘{$bucket->id}’ AND file_checksum <> ””;

    if(!empty($folder)) {

    – $updatePath = $folder . ‘/’;

    + $updatePath = $db->getEscaped( $folder . ‘/’ );

    $sqlClean .= ” AND INSTR(`path`, ‘{$updatePath}’) = 1″;

    }

    $db->setQuery($sqlClean);

    @@ -245,7 +245,7 @@ class jaAmazonS3ControllerRepo extends J
    $sqlLog = array();

    if(is_array($serverFiles) && count($serverFiles)) {

    foreach ($serverFiles as $sfile) {

    – $filename = $sfile->Key;

    + $filename = $db->getEscaped( $sfile->Key );

    $uploadTimeLog = date(‘Y-m-d H:i:s’, strtotime($sfile->LastModified));

    $checksum = str_replace(‘”‘, ”, $sfile->ETag);

    $sqlLog[] = “INSERT INTO `#__jaamazons3_file` SET bucket_id = ‘{$bucket->id}’, path = ‘{$filename}’, last_update = ‘{$uploadTimeLog}’, file_checksum = ‘{$checksum}’, `file_exists` = 1 ON DUPLICATE KEY UPDATE last_update = ‘{$uploadTimeLog}’, file_checksum = ‘{$checksum}’, `file_exists` = 1;” . “rn”;
    [/PHP]

    I hope this helps!

    Thanh Nguyen Viet Friend
    #526929

    @ phookajoe,

    As you can see on the code above, the $filename is cut from $basePath, and the $basePath is got from Sync profile setting, not from user request data, so do not worry about SQL Injection issue in this case.

    Anyway, thank you for your attention to make our product better 🙂

    phookajoe Friend
    #528066

    <em>@Dead Code 416634 wrote:</em><blockquote>@ phookajoe,

    As you can see on the code above, the $filename is cut from $basePath, and the $basePath is got from Sync profile setting, not from user request data, so do not worry about SQL Injection issue in this case.

    Anyway, thank you for your attention to make our product better :)</blockquote>

    I disagree… I fixed this code right here to be sanatized (it was very dangerous before!)

    $filename = $sfile->Key;
    $filename = $db->getEscaped( $sfile->Key );

    I personally performed the attack from a filename upload, and that’s how I found the issue.

    Just want to be clear that this is an actual security issue and not something to ignore.

    Thanh Nguyen Viet Friend
    #528147

    Hello,

    I have created issue on our issue tracker system and notified to JA Amazon S3 dev team about it, we will try to duplicate this issue on our end and apply your fix.
    You can check status of this issue at
    pm.joomlart.com/browse/JAECCOMAMAZONJIVI-99

    Thank you for your contribution.

Viewing 4 posts - 1 through 4 (of 4 total)

This topic contains 4 replies, has 2 voices, and was last updated by  Thanh Nguyen Viet 10 years, 9 months ago.

We moved to new unified forum. Please post all new support queries in our New Forum