vb.org Archive - Potencial VBul MySQL injection?

I got this database error emailed to me today.

Quote:

Database error in vBulletin 3.6.5:

Invalid SQL:

SELECT user.avatarid, user.avatarrevision, avatarpath, NOT ISNULL(customavatar.userid) AS hascustom, customavatar.dateline,
customavatar.width, customavatar.height
FROM user AS user
LEFT JOIN avatar AS avatar ON avatar.avatarid = user.avatarid
LEFT JOIN customavatar AS customavatar ON customavatar.userid = user.userid
WHERE user.userid = cc;

MySQL Error : Unknown column 'cc' in 'where clause'
Error Number : 1054
Date : Monday, May 14th 2007 @ 10:13:45 PM
Script : http://fnk.ca/board/private.php?s=&pp=&folderid=-1
Referrer : http://fnk.ca/board/private.php?s=&pp=&folderid=-1
IP Address : 74.98.103.xxx
Username : F*r*a*
Classname : vb_database

Tracked the code down. It's in this file: includes/functions_user.php

The code in question is:

PHP Code:


		
			
function fetch_avatar_url($userid)
{
   global $vbulletin;

   if ($avatarinfo = $vbulletin->db->query_first_slave("
      SELECT user.avatarid, user.avatarrevision, avatarpath, NOT ISNULL(customav
         customavatar.width, customavatar.height
      FROM " . TABLE_PREFIX . "user AS user
      LEFT JOIN " . TABLE_PREFIX . "avatar AS avatar ON avatar.avatarid = user.a
      LEFT JOIN " . TABLE_PREFIX . "customavatar AS customavatar ON customavatar
      WHERE user.userid = $userid"))

Which i then changed to:

PHP Code:


		
			
function fetch_avatar_url($userid)
{
   global $vbulletin;

   // Scrub the userid 
   $userid = intval($userid);

   if ($avatarinfo = $vbulletin->db->query_first_slave("
      SELECT user.avatarid, user.avatarrevision, avatarpath, NOT ISNULL(customav
         customavatar.width, customavatar.height
      FROM " . TABLE_PREFIX . "user AS user
      LEFT JOIN " . TABLE_PREFIX . "avatar AS avatar ON avatar.avatarid = user.a
      LEFT JOIN " . TABLE_PREFIX . "customavatar AS customavatar ON customavatar
      WHERE user.userid = $userid"))

Not sure what code is calling it with the bad error, but i don't really care, the field should be scrubbed anyways before it's passed to the query.

Please comment

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_php_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (2)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

X vBulletin 3.8.12 by vBS Debug Information

Page Generation 0.01682 seconds
Memory Usage 1,727KB
Queries Executed 10 (?)

More Information

Template Usage:

(1)ad_footer_end
(1)ad_footer_start
(1)ad_header_end
(1)ad_header_logo
(1)ad_navbar_below
(2)bbcode_php_printable
(1)bbcode_quote_printable
(1)footer
(1)gobutton
(1)header
(1)headinclude
(6)option
(1)post_thanks_navbar_search
(1)printthread
(2)printthreadbit
(1)spacer_close
(1)spacer_open

Phrase Groups Available:

global
postbit
showthread

Included Files:

./printthread.php
./global.php
./includes/init.php
./includes/class_core.php
./includes/config.php
./includes/functions.php
./includes/class_hook.php
./includes/modsystem_functions.php
./includes/class_bbcode_alt.php
./includes/class_bbcode.php
./includes/functions_bigthree.php

Hooks Called:

init_startup
init_startup_session_setup_start
init_startup_session_setup_complete
cache_permissions
fetch_threadinfo_query
fetch_threadinfo
fetch_foruminfo
style_fetch
cache_templates
global_start
parse_templates
global_setup_complete
printthread_start
bbcode_fetch_tags
bbcode_create
bbcode_parse_start
bbcode_parse_complete_precache
bbcode_parse_complete
printthread_post
printthread_complete

Messages:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01682 seconds Memory Usage 1,727KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_php_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (2)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: