Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
Reload this Page Potencial VBul MySQL injection?
FAQ Members List Calendar Search Today's Posts Mark Forums Read
Prev Previous Post   Next Post Next
  #1  
Old 05-15-2007, 06:28 AM
j0rd j0rd is offline
 
Join Date: May 2006
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Potencial VBul MySQL injection?
I got this database error emailed to me today.

Quote:
Database error in vBulletin 3.6.5:

Invalid SQL:

SELECT user.avatarid, user.avatarrevision, avatarpath, NOT ISNULL(customavatar.userid) AS hascustom, customavatar.dateline,
customavatar.width, customavatar.height
FROM user AS user
LEFT JOIN avatar AS avatar ON avatar.avatarid = user.avatarid
LEFT JOIN customavatar AS customavatar ON customavatar.userid = user.userid
WHERE user.userid = cc;

MySQL Error : Unknown column 'cc' in 'where clause'
Error Number : 1054
Date : Monday, May 14th 2007 @ 10:13:45 PM
Script : http://fnk.ca/board/private.php?s=&pp=&folderid=-1
Referrer : http://fnk.ca/board/private.php?s=&pp=&folderid=-1
IP Address : 74.98.103.xxx
Username : F*r*a*
Classname : vb_database
Tracked the code down. It's in this file: includes/functions_user.php

The code in question is:

PHP Code:
function fetch_avatar_url($userid)
{
   global $vbulletin;

   if ($avatarinfo $vbulletin->db->query_first_slave("
      SELECT user.avatarid, user.avatarrevision, avatarpath, NOT ISNULL(customav
         customavatar.width, customavatar.height
      FROM " TABLE_PREFIX "user AS user
      LEFT JOIN " TABLE_PREFIX "avatar AS avatar ON avatar.avatarid = user.a
      LEFT JOIN " TABLE_PREFIX "customavatar AS customavatar ON customavatar
      WHERE user.userid = $userid")) 
Which i then changed to:

PHP Code:
function fetch_avatar_url($userid)
{
   global $vbulletin;

   // Scrub the userid 
   $userid intval($userid);

   if ($avatarinfo $vbulletin->db->query_first_slave("
      SELECT user.avatarid, user.avatarrevision, avatarpath, NOT ISNULL(customav
         customavatar.width, customavatar.height
      FROM " TABLE_PREFIX "user AS user
      LEFT JOIN " TABLE_PREFIX "avatar AS avatar ON avatar.avatarid = user.a
      LEFT JOIN " TABLE_PREFIX "customavatar AS customavatar ON customavatar
      WHERE user.userid = $userid")) 

Not sure what code is calling it with the bad error, but i don't really care, the field should be scrubbed anyways before it's passed to the query.


Please comment
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 03:20 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06317 seconds
  • Memory Usage 2,274KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (2)post_thanks_box
  • (2)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit_info
  • (2)postbit
  • (2)postbit_onlinestatus
  • (2)postbit_wrapper
  • (1)showthread_list
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_threadedmode.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids_threaded
  • showthread_threaded_construct_link
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete