phpBB Academy at StarTrekGuide

[Highway of Life]

Please note that there may be more than one vulnerability within this code.
Post your results in the

Code: Select all

[spoiler]your answers[/spoiler]

spoiler BBCodes.
You may post additional information such as what you believe this coder could have done to secure his code.

Once there has been a fair number of results, I will break the code down as well as the correct answers and will provide a security lesson based on the vulnerabilities within this cdoe.

Code: Select all

<?php
if (!$categoria = $_POST['categoria'])
{
    mensaje("campo_txt", "Agregar Categoria", "../agregar_categoria.php", "", "", "");
}

$sql_gemelo = " SELECT * FROM  tbl_categorias WHERE col_titulo = '" . $_POST['categoria'] . "' ";
$rs = mysql_query($sql_gemelo);
$num = mysql_num_rows($rs);

if ($num !== 0)
{
    mensaje("gemelo", "Agregar Categor&iacute;a", "../agregar_categoria.php", "la categor&iacute;a", "", "");
}

chdir("../..");
$dir_categoria = $categoria;
$base = "img/espanol/producto/$dir_categoria";

if (!@mkdir("$base"))
{
    die("NueCat.-.ERROR MKDIR $categoria");
}

$consulta = "INSERT INTO tbl_categorias VALUES('','" . $categoria . "')";

if (!@mysql_query($consulta))
{
    die("NueCat.-.ERROR MYSQL " . mysql_error());
}

$url = "location:../agregar_subcategoria.php?NOMBRE_CATEGORIA=$categoria&RUTA=$base";
header($url);
?>

[Obsidian]

Spoiler:

I see a possibility for an SQL inject VIA $_POST superglobal array.

Code: Select all

$sql_gemelo = " SELECT * FROM  tbl_categorias WHERE col_titulo = '" . $_POST['categoria'] . "' "; 

Not even the built-in MySQL inject protection is used. O_o

[Highway of Life]

That?s one. But there is more than one vulnerability in that code.

[Obsidian]

This is on a related note...what the heck is mensaje() for?

[Highway of Life]

It?s coded in Spanish.

[Obsidian]

Hmm...then...

Spoiler:

I'd say the mkdir and chdir lines are possibles for having vulnerabilities. Dunno why though..

[chaoskreator Jason]

"Mensaje" means "message", I believe...

Spoiler:

The author of the code failed to use any kind of cleansing before inserting into the database. Twice.

And isn't there an issue with the the chdir()?

[ Post made via Mobile Device ]

[topdown]

Spoiler:

Couldn't I essentially use this from any location

Code: Select all

$url = "location:../agregar_subcategoria.php?NOMBRE_CATEGORIA=$categoria&RUTA=$base"; 

Which I believe is header injection through the vars
and dump any file into a directory of my desire (basically) img/espanol/producto/whatever_I_want/

Code: Select all

    $dir_categoria = $categoria;
    $base = "img/espanol/producto/$dir_categoria"; 

and run it against there server, SQL to their database, what ever I want.

Another SQL injection here

Code: Select all

$consulta = "INSERT INTO tbl_categorias VALUES('','" . $categoria . "')"; 

which is using $_POST['categoria']
Something could probably be made usable out of the empty value in that query also.

[Obsidian]

Spoiler:

Couldn't I essentially use this from any location

Code: Select all

$url = "location:../agregar_subcategoria.php?NOMBRE_CATEGORIA=$categoria&RUTA=$base"; 

Which I believe is header injection through the vars
and dump any file into a directory of my desire (basically) img/espanol/producto/whatever_I_want/

Uhm, I'm not so sure you can do too much via the header() command that can cause server abuse, but it's still not smart to let it be abused. Second opinion?

[Techie-Micheal]

Spoiler:

Couldn't I essentially use this from any location

Code: Select all

$url = "location:../agregar_subcategoria.php?NOMBRE_CATEGORIA=$categoria&RUTA=$base"; 

Which I believe is header injection through the vars
and dump any file into a directory of my desire (basically) img/espanol/producto/whatever_I_want/

Uhm, I'm not so sure you can do too much via the header() command that can cause server abuse, but it's still not smart to let it be abused. Second opinion?

Spoiler:

I'm not sure what David has in mind for this, but there are header injections that can be done to abuse things like SMTP. As for the redirect, you can do even this: img/espano/producto/../../<insert path here>. That's probably what was meant above, but anywho.