From: Mike Clark <Mike.Clark@Cinven.com> - 2004-12-22 16:40:53
hmm, personally i think this should be high priority to be fixed ;D
Although i am tempted to leave them in so I can get on Secunia mailing
> -----Original Message-----
> From: videodb-devel-admin@...
> [mailto:videodb-devel-admin@...]On Behalf Of Andreas
> Sent: 22 December 2004 16:31
> To: videodb-devel@...
> Subject: [videodb-devel] Fw: Security holes in videodb
> Begin forwarded message:
> Date: Wed, 22 Dec 2004 14:18:51 +0000
> From: Steve Kemp <steve@...>
> To: andi@...
> Subject: Security holes in videodb
> I've been looking over the code to your videodb software,
> which I've been running on my site for a long time now.
> I see that in many cases you don't properly sanitize=20
> PHP input parameters before using them in SQL queries
> leading to many potential SQL injecton attacks.
> For example in show.php you have this massive select
> $SELECT =3D 'SELECT videodata.id, title, subtitle, language,
> diskid, comme
> disklabel, imdbID,=20
> year, imgurl,
> r, actors, runtime,
> country, plot, filename,
> filesize, filed
> ate, audio_codec,
> video_codec, video_width,
> istv, lastupdate,
> seen, email, custom1, custom2, custom3, custom4,
> users.name AS owner, mediatypes.name AS mediatype
> FROM videodata
> LEFT JOIN users ON owner_id =3D users.id
> LEFT JOIN mediatypes ON mediatype =3D mediatypes.id
> WHERE videodata.id =3D '.$id;
> $video =3D runSQL($SELECT);
> $id isn't tested to make sure it's only a number, or sanitized
> in any way. So for example id could be:
> 1; show tables
> UNION DELETE FROM users WHERE id>0;
> Other queries are at risk too.
> Do you have plans for an update to fix these minor bugs? I guess
> the exploitability depends on two things:
> 1. The type of database server being used. eg,. MySQL doesnt
> allow multiple queries to be executed in one pass, but
> Msql does. (So people running this with a Msql server are
> massively more vulnerable to SQL injection).
> 2. The permissions on the database account used.
> Demonstrations are trivial, eg:
This e-mail may contain confidential, privileged or protected =
information. If you are not the intended recipient, you may not disclose =
the information contained in this e-mail to any person, copy it, or take =
action based upon it. If you have received this e-mail in error, please =
notify the sender immediately by return e-mail or by calling +44 (0)20 =
7661 3333 and then delete it together with any attachments.
Cinven Limited has taken reasonable precautions to ensure that this =
e-mail does not contain computer viruses, but advises recipients that =
they should perform their own virus checks as a further safeguard and =
Cinven Limited disclaims all liability for any such viruses. Cinven =
Limited reserves the right to monitor e-mail communications passing =
through its computer systems.
Cinven Limited is authorised and regulated by the Financial Services =