SEC-CONSULT Security Advisory 20050602-2 ============================================================================= title: Exhibit Engine Blind SQL Injection program: Exhibit Engine vulnerable version: 1.22, 1.54 RC4 homepage: http://photography-on-the.net/ee/ http://photography-on-the.net/ee/beta/ found: 2005-06-01 by: sk0L / SEC-CONSULT / www.sec-consult.com ============================================================================= vendor description: --------------- the Exhibit engine is a PHP/MySQL application for smooth and versatile online photograph display. it's especially designed to give detailed technical info on each photo, with text descriptions and gear info, but all that technical data is not required. vulnerabilty overview: --------------- SQL injection is possible on various POST parameters in the script list.php. although there is no way to get any output from UNION statements, there is at least one possibility to read arbitrary database entries via blind SQL injection. proof of concept: --------------- here's the relevant code section from list.php: ---- code ----- $resultcount = mysql_query( " SELECT ee_photo.ee_photo_id FROM [...] WHERE ee_photo.ee_photo_for_www = 'yes' AND $search_row LIKE '$wildcard1$keyword$wildcard2' AND ... " ); if (!$resultcount) { $queryname = "resultcount"; include("db_error.php"); } $total = mysql_num_rows($resultcount); $how_many = count($count_total); if ($offset>$how_many) {$offset = $how_many; } $fetchlist = mysql_query( " SELECT $q0,$q1,...,$q43 FROM ee_photo, [...] ee_order_to_exhibition WHERE ee_photo.ee_photo_for_www = 'yes' [...] AND ee_exhibition.ee_exhibition_pass = '$pass' ORDER by $sort_row $order LIMIT $offset,$perpage " ); ---- /code ---- we can inject SQL into the variables $search_row, $sort_row, $order and $perpage without the need to escape any quotes. unfortunately, UNIONs can be put into $rearch_row only, and as $search_row is used in both queries with a different number of columns, this will inevitably produce an error. we can use blind sql injection, though: * set $offset=1 * put injection string into $search_row, e.g.: search_row=ee_photo.ee_photo_exif_iso%3D1+AND+1%3D2+UNION+SELECT+user+FROM+mysql.user+WHERE+user+LIKE+0x254125+/*+ * if we get 1 (TRUE), offset will be set to 1, FALSE will set it to 0. * now we still have to produce an error in the second query by specifying some insane $order or $sort_row. the last part of the SQL error message will be echoed by Exhibit, so we get the value of $offset. it should be relatively easy to code an exploit for this (sorry but i don't have the time atm). vulnerable versions: --------------- Exhibit Engine v1.22 is definitely vulnerable. 1.54 RC4 seems to be vulnerable too, although exploitation may differ slightly. it is very likely that the vulnerability exists in most other versions of Exhibit Engine. vendor status: --------------- vendor notified: 2005-06-01 vendor response: immediately workaround found: 2005-06-02 Pekka Saarinen has published a workaround for all current versions of Exhibit Engine. It is available at: http://photography-on-the.net/forum/showthread.php?p=579692 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Bernhard Mueller / www.sec-consult.com / SGT ::: dfa, tke, bfi, mei, flo, walter|bruder ::: ~ ___ ___ ~ | |=|_.' .'| .'| .'|=|`. .'| ~ `. | .' | .' .' .' | | `. .' | ==== `.|=|`. | |=|.: | | | | | | ====== ~ ___ | `.| | |'. `. | | .' | | ___ ~ `._|=|___||___| |_| `.|=|.' |___|=|_. -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-