indexscript sql injection hole fix

[hakon]

following from this thread: http://www.indexscript.com/forum/showthread.php?t=2260 - i'm posting a consolidated fix in this thread for the sql injection security hole exploited today:


if you are using v2.8 and have not modified your utils.php file found in the include folder:
1. you can simply download the utils.php attached in this post for v2.8 and replace your existing one with it


if you are using v2.7 and have not modified your utils.php file found in the include folder:
1. you can simply download the utils.php attached in this post for v2.7 and replace your existing one with it


if you want to perform a manual replace:
1. open up your utils.php in the include folder
2. look for:

Code:

function fnpreparesql($field) {
  if(!get_magic_quotes_gpc()) {
    return mysql_real_escape_string($field);
  }
  else {
    return $field;
  }
}

and replace with:

Code:

function fnpreparesql($field) {
  if(get_magic_quotes_gpc()) {
    $temp = stripslashes($field);
  }
  else {
    $temp = $field;
  }

  if(stristr($temp, "dir_login")) {
    $temp = "";
  }

  return mysql_real_escape_string($temp);
}

look for all instances of:

Code:

= " . $cat_id

and replace with:

Code:

= " . fnpreparesql($cat_id)

look for all instances of:

Code:

= " . $start_id

and replace with:

Code:

= " . fnpreparesql($start_id)

look for all instances of:

Code:

= " . $row['parent_id']

and replace with:

Code:

= " . fnpreparesql($row['parent_id'])

look for all instances of:

Code:

= " . $row['cat_id']

and replace with:

Code:

= " . fnpreparesql($row['cat_id'])

[rankappeal]

Hi hakon, unfortunately this fix did not work for me has it made my sub categories unviewable....invalid fetch array argument in sql...
any suggestions?

[gkd_uk]

Thanks Hakon. I have not been hacked but have replaced the new util file. and all seems fine

Is there anyway you can check if my directory is ok now

The directory is The Web Directory

Thanks

[kiviniar]

Its working for me

Rankappeal, i think that u have a older version of the script running as i have the same problem in one of my indexscript dirs

Upgrading it right away

[perform]

I found some info while searching about this exploit

Quote:

Site: http://indexscript.com
Found By: xssvgamer

Google Dork: allintext: "This site is powered by IndexScript"

exploit:

http://www.example.com/show_cat.php?cat_id=-1 UNION ALL SELECT login,password FROM dir_login /*

Blind SQL injection in indexscript..

Vul Code:
"$sql = "select name, meta_title, meta_description, meta_keywords from dir_cat where " .
"cat_id=" . fnpreparesql($_GET['cat_id']);"

# milw0rm.com [2007-07-25]

It was found on this page

Quote:

ht*tp:/*/ww*w.mi*lw0r*m.co*m/ex*ploi*ts/4*22*5

^^ Ofcourse remove all * from the URL

I hope it could be of some help. I was trying to find "This site is powered by IndexScript" in google and got this.

[Raven]

Mine was hacked too....over 2000 urls gone, and 100+ categories..gone.

--<Hacked by y0n4s >--

Is what it says in the title header

And I couldn't log in.

Thanks for this fix Hakon

[rankappeal]

kiviniar ,

I am using V2.8 And I Just Got Hacked Again....Good job I Backed Up.. The Sod Made A Right Mess...Lol... I have changed databases and all passwords now

[gkd_uk]

Quote:

Originally Posted by rankappeal

kiviniar ,

I am using V2.8 And I Just Got Hacked Again....Good job I Backed Up.. The Sod Made A Right Mess...Lol... I have changed databases and all passwords now

Hi

Have you applied the fix?

[xfairguy]

Just to confirm that fix work I just had two morons trying to hack my dir.
But the question is, is this the only security issue?
I was hacked some time ago and I am not sure if hacker used this issue with sql injections in query strings because I now see in my stats tracker how they try to insert sql but then I did not see that stuff.

[rankappeal]

Okay I have managed to apply the fix. Thanks Hakon everything seems ok now.... hopefully it will keep the blighter out...