The best way to waste your life,…is by taking notes. The easiest way to avoid living is to just watch. Look for the details. Report. Don’t participate.
Chuck Palahniuk
<?php...snip...// tags$tags = explode(',',$_POST['tags']);$wpdb->query("DELETE FROM{$wpdb->prefix}sb_sermons_tags WHERE sermon_id = $id;");foreach ($tags as $tag){$clean_tag = trim(mysql_real_escape_string($tag));$existing_id = $wpdb->get_var("SELECT id FROM{$wpdb->prefix}sb_tags WHERE name='$clean_tag'");if (is_null($existing_id)){$wpdb->query("INSERT INTO{$wpdb->prefix}sb_tags VALUES (null,'$clean_tag')");$existing_id = $wpdb->insert_id}$wpdb->query("INSERT INTO{$wpdb->prefix}sb_sermons_tags VALUES (null,$id,$existing_id)")}sb_delete_unused_tags();// everything is fine,get out of here!if(!isset($error)){sb_ping_gallery();echo "<script>document.location = '".$_SERVER['PHP_SELF']."?page=sermon-browser/sermon.php&saved=true';</script>";die()}}$id3_tags = array();if (isset($_GET['getid3'])){require_once('getid3/getid3.php');$file_data = $wpdb->get_row("SELECT name,type FROM{$wpdb->prefix}sb_stuff WHERE id = ".$_GET['getid3']);if ($file_data !== NULL){$getID3 = new getID3;if ($file_data->type == 'url'){$filename = substr($file_data->name,strrpos ($file_data->name,'/')+1);$sermonUploadDir = SB_ABSPATH.sb_get_option('upload_dir');$tempfilename = $sermonUploadDir.preg_replace('/([ ])/e','chr(rand(97,122))','').'.mp3';if ($tempfile = @fopen($tempfilename,'wb'))if ($remote_file = @fopen($file_data->name,'r')){$remote_contents = '';while (!feof($remote_file)){$remote_contents .= fread($remote_file,8192);if (strlen($remote_contents) >65536) break}fwrite($tempfile,$remote_contents);fclose($remote_file);fclose($tempfile);$id3_raw_tags = $getID3->analyze(realpath($tempfilename));unlink ($tempfilename)}} else{$filename = $file_data->name;$id3_raw_tags = $getID3->analyze(realpath(SB_ABSPATH.sb_get_option('upload_dir').$filename))}if (!isset($id3_raw_tags['tags'])){echo '<div id="message"class="updated fade"><p><b>'.__('No ID3 tags found.',$sermon_domain);if ($file_data->type == 'url') echo ' Remote files must have id3v2 tags.';echo '</b></div>'}...snip...?>If you enjoyed this post,make sure you subscribe to my RSS feed!
1. XSS on line 19.
2. SQL Injection on line 27.
3. Parameter Tampering on line 27.
4. Malware or Rootkit distribution lines 27-44.
I am not a PHP jockey (more of a Java guy)
But to exploit 4 I would use SQL Injection to insert a row
into sb_stuff where:
name=http://www.attacker.com/badstuff/malware.mp3
type=url
where id = all ids outstanding.
Then when a visitor tried to download an uploaded malware mp3 and
listen to it they would get infected by malware sourced in from a 3rd party web site.
Also filename can have path traversal characters (if running PHP on a windows box) because the code looks only for the last “/”on line 31.
An attacker could use the SQL Injection to set name to:
aaa/..\..\..\system.ini
I am curious if there are any other problems with the code that was snipped in how it uses $filename and $file_data->name;
Regards,
Abe
[...] Notes [...]