indexscript sql injection hole fix

[hakon]

following from this thread: http://www.indexscript.com/forum/showthread.php?t=2260 - i'm posting a consolidated fix in this thread for the sql injection security hole exploited today:


if you are using v2.8 and have not modified your utils.php file found in the include folder:
1. you can simply download the utils.php attached in this post for v2.8 and replace your existing one with it


if you are using v2.7 and have not modified your utils.php file found in the include folder:
1. you can simply download the utils.php attached in this post for v2.7 and replace your existing one with it


if you want to perform a manual replace:
1. open up your utils.php in the include folder
2. look for:

Code:

function fnpreparesql($field) {
  if(!get_magic_quotes_gpc()) {
    return mysql_real_escape_string($field);
  }
  else {
    return $field;
  }
}

and replace with:

Code:

function fnpreparesql($field) {
  if(get_magic_quotes_gpc()) {
    $temp = stripslashes($field);
  }
  else {
    $temp = $field;
  }

  if(stristr($temp, "dir_login")) {
    $temp = "";
  }

  return mysql_real_escape_string($temp);
}

look for all instances of:

Code:

= " . $cat_id

and replace with:

Code:

= " . fnpreparesql($cat_id)

look for all instances of:

Code:

= " . $start_id

and replace with:

Code:

= " . fnpreparesql($start_id)

look for all instances of:

Code:

= " . $row['parent_id']

and replace with:

Code:

= " . fnpreparesql($row['parent_id'])

look for all instances of:

Code:

= " . $row['cat_id']

and replace with:

Code:

= " . fnpreparesql($row['cat_id'])

[rankappeal]

Hi hakon, unfortunately this fix did not work for me has it made my sub categories unviewable....invalid fetch array argument in sql...
any suggestions?

[gkd_uk]

Thanks Hakon. I have not been hacked but have replaced the new util file. and all seems fine

Is there anyway you can check if my directory is ok now

The directory is The Web Directory

Thanks

[kiviniar]

Its working for me

Rankappeal, i think that u have a older version of the script running as i have the same problem in one of my indexscript dirs

Upgrading it right away

[perform]

I found some info while searching about this exploit

Quote:

Site: http://indexscript.com
Found By: xssvgamer

Google Dork: allintext: "This site is powered by IndexScript"

exploit:

http://www.example.com/show_cat.php?cat_id=-1 UNION ALL SELECT login,password FROM dir_login /*

Blind SQL injection in indexscript..

Vul Code:
"$sql = "select name, meta_title, meta_description, meta_keywords from dir_cat where " .
"cat_id=" . fnpreparesql($_GET['cat_id']);"

# milw0rm.com [2007-07-25]

It was found on this page

Quote:

ht*tp:/*/ww*w.mi*lw0r*m.co*m/ex*ploi*ts/4*22*5

^^ Ofcourse remove all * from the URL

I hope it could be of some help. I was trying to find "This site is powered by IndexScript" in google and got this.

[Raven]

Mine was hacked too....over 2000 urls gone, and 100+ categories..gone.

--<Hacked by y0n4s >--

Is what it says in the title header

And I couldn't log in.

Thanks for this fix Hakon

[rankappeal]

kiviniar ,

I am using V2.8 And I Just Got Hacked Again....Good job I Backed Up.. The Sod Made A Right Mess...Lol... I have changed databases and all passwords now

[colbyt]

Quote:

Originally Posted by Raven

Mine was hacked too....over 2000 urls gone, and 100+ categories..gone.

--<Hacked by y0n4s >--

Is what it says in the title header

And I couldn't log in.

Thanks for this fix Hakon

Unless the hacker spent a lot of time manually deleting stuff, most likely the data is still there. Don't panic yet.

Try reinstalling the cats table only from backup and see if the data is still there.

Make a backup of the corrupt DB before you start, just in case.

Of course they could have done anything the admin could do from the admin panel. Just depends on how much time they wanted to spend doing it.