Serious Security Vulnerability – SQL Injection

Forums    Joomla Extensions Club    JA Amazon S3 Component    Serious Security Vulnerability - SQL Injection
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • phookajoe Friend
    March 12, 2014 at 9:06 am #195709

    I have found a place that is vulnerable to a SQL Injection Attack within this plugin. It specifically involves the filename strings not being escaped. This would mean if you name a file with a SQL string you will be able to perform the attack.

    I wrote a quick patch file/hack for this here it is:

    [PHP]
    diff -rupN controllers/localrepo.php controllers/localrepo.php
    — controllers/localrepo.php 2013-09-16 01:29:08.000000000 -0400
    +++ controllers/localrepo.php 2014-03-12 04:40:42.000000000 -0400
    @@ -547,6 +547,7 @@ class jaAmazonS3ControllerLocalrepo exte
    */

    $filename = substr($file, strlen($basePath));

    $filename = jaStorageHelper::cleanPath($filename);

    + $cleanFilename = $db->getEscaped( $filename );

    //smushit

    $smushed = 0;

    @@ -579,7 +580,7 @@ class jaAmazonS3ControllerLocalrepo exte
    INSERT INTO `#__jaamazons3_file`

    SET

    bucket_id = ‘{$profile->bucket_id}’,

    – path = ‘{$filename}’,

    + path = ‘{$cleanFilename}’,

    last_update = ‘{$uploadTimeLog}’,

    file_checksum = ‘{$checksum}’,

    file_original_checksum = ‘{$checksumOriginal}’,

    @@ -616,7 +617,7 @@ class jaAmazonS3ControllerLocalrepo exte
    INSERT INTO `#__jaamazons3_file`

    SET

    bucket_id = ‘{$profile->bucket_id}’,

    – path = ‘{$filename}’,

    + path = ‘{$cleanFilename}’,

    last_update = ‘{$uploadTimeLog}’,

    file_checksum = ‘{$checksum}’,

    file_original_checksum = ”,

    diff -rupN controllers/repo.php controllers/repo.php
    — controllers/repo.php 2013-09-16 01:29:08.000000000 -0400
    +++ controllers/repo.php 2014-03-12 04:31:39.000000000 -0400
    @@ -235,7 +235,7 @@ class jaAmazonS3ControllerRepo extends J
    */

    $sqlClean = “UPDATE `#__jaamazons3_file` SET `file_exists` = 0 WHERE bucket_id = ‘{$bucket->id}’ AND file_checksum <> ””;

    if(!empty($folder)) {

    – $updatePath = $folder . ‘/’;

    + $updatePath = $db->getEscaped( $folder . ‘/’ );

    $sqlClean .= ” AND INSTR(`path`, ‘{$updatePath}’) = 1″;

    }

    $db->setQuery($sqlClean);

    @@ -245,7 +245,7 @@ class jaAmazonS3ControllerRepo extends J
    $sqlLog = array();

    if(is_array($serverFiles) && count($serverFiles)) {

    foreach ($serverFiles as $sfile) {

    – $filename = $sfile->Key;

    + $filename = $db->getEscaped( $sfile->Key );

    $uploadTimeLog = date(‘Y-m-d H:i:s’, strtotime($sfile->LastModified));

    $checksum = str_replace(‘”‘, ”, $sfile->ETag);

    $sqlLog[] = “INSERT INTO `#__jaamazons3_file` SET bucket_id = ‘{$bucket->id}’, path = ‘{$filename}’, last_update = ‘{$uploadTimeLog}’, file_checksum = ‘{$checksum}’, `file_exists` = 1 ON DUPLICATE KEY UPDATE last_update = ‘{$uploadTimeLog}’, file_checksum = ‘{$checksum}’, `file_exists` = 1;” . “rn”;
    [/PHP]

    I hope this helps!

    Thanh Nguyen Viet Friend
    March 17, 2014 at 9:24 am #526929

    @ phookajoe,

    As you can see on the code above, the $filename is cut from $basePath, and the $basePath is got from Sync profile setting, not from user request data, so do not worry about SQL Injection issue in this case.

    Anyway, thank you for your attention to make our product better 🙂

    phookajoe Friend
    March 25, 2014 at 3:23 pm #528066

    <em>@Dead Code 416634 wrote:</em><blockquote>@ phookajoe,

    As you can see on the code above, the $filename is cut from $basePath, and the $basePath is got from Sync profile setting, not from user request data, so do not worry about SQL Injection issue in this case.

    Anyway, thank you for your attention to make our product better :)</blockquote>

    I disagree… I fixed this code right here to be sanatized (it was very dangerous before!)

    $filename = $sfile->Key;
    $filename = $db->getEscaped( $sfile->Key );

    I personally performed the attack from a filename upload, and that’s how I found the issue.

    Just want to be clear that this is an actual security issue and not something to ignore.

    Thanh Nguyen Viet Friend
    March 26, 2014 at 2:15 am #528147

    Hello,

    I have created issue on our issue tracker system and notified to JA Amazon S3 dev team about it, we will try to duplicate this issue on our end and apply your fix.
    You can check status of this issue at
    pm.joomlart.com/browse/JAECCOMAMAZONJIVI-99

    Thank you for your contribution.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)

This topic contains 4 replies, has 2 voices, and was last updated by  Thanh Nguyen Viet 10 years, 8 months ago.

We moved to new unified forum. Please post all new support queries in our New Forum

Important Notice :

New Unified Portal is live

Must Read

Jump to forum

Categories