search

intelliants / subrion

Subrion CMS - open source php content management system.
https://subrion.org/
GNU General Public License v3.0
282 stars 119 forks source link

Subrion SQL Injection ia.core.mysqli.php #910

Open diyarsaadi opened 7 months ago

diyarsaadi commented 7 months ago

Subrion 4.2.1 is vulnerable SQL Injection

Vulnerable Line :

SQL Injection has been found. Change this code to no longer construct SQL queries directly from user-controlled data.

Calling method \iaDb,1::getAll(["var"]) in (216)\iaDb,1::_get(["row","MAX(order)","var","var","1"]) that outputs using tainted argument #1 ($sql).

Infected Line : 242

238 $sql = 'SELECT ' . $stmtFields . ' FROM ' . $this->_table . ' ' . $condition; 239

240 switch ($type) { 241 case 'all': 242 1return $this->getAll($sql); 243 case 'keyval': 244 return $this->getKeyValue($sql); 245 case 'assoc': 246 return $this->getAssoc($sql, true); 247 default:

Description

This code is vulnerable to SQL injection because the application receives data from the user or a third-party service and inserts it into a database query without sanitizing it first. It's a critical vulnerability.

What is the potential impact? The attacker can manipulate user input fields (such as a search bar or login form) to inject malicious SQL code into the backend database. This can allow them to gain unauthorized access to sensitive information, modify or delete data, and even take control of the entire system.

SQL Injection attacks are unfortunately very common, and this is due to two factors: 1-the significant prevalence of SQL injection vulnerabilities, and 2-the attractiveness of the target (i.e., the database typically contains all the interesting/critical data for your application). It's crucial that you address the vulnerability as soon as possible to prevent any data breaches or unauthorized access.

Steps to Fix

The correct way to avoid SQL injection attacks is to separate the data from SQL, so that data remains just that and can never be interpreted as commands by the SQL parser:

If the code needs a number, change it to a number explicitly If it's a string, use bind parameters If it's an enum, double-check that the value is strictly from the enum string object Use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.

Using PDO (for any supported database driver): $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name'); $stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) { // Do something with $row } Using MySQLi (for MySQL): Since PHP 8.2+ we can make use of mysqli_execute_query() (or mysqli::execute_query()) which prepares, binds parameters, and executes SQL statement in one method:

$result = $dbConnection->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);

while ($row = $result->fetch_assoc()) { // Do something with $row } Up to PHP 8.1

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?'); $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string' $stmt->execute();

$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { // Do something with $row } If you're connecting to a database other than MySQL, there is a driver-specific second option that you can refer to (for example, pg_prepare() and pg_execute() for PostgreSQL). PDO is the universal option.

Steps to Reproduce

curl -X POST -d "id=1%E2%80%98%20or%201%3D1--" https://site.com/includes/classes/ia.base.controller.admin.php

blockisec commented 3 months ago

same as #911. You cannot trigger any SQL injection by requesting a PHP file just containing a class using this curl request.