Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
  #1  
Old 05-26-2011, 06:25 PM
|Jordan|'s Avatar
|Jordan| |Jordan| is offline
 
Join Date: Nov 2004
Posts: 479
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Securing against SQL Injection?

What do i look for in my modifications to see if they are susceptible to SQL Injection? What needs to be changed?

P.S. I also made this thread in VB3 forum because i have 2 forums, 1 runs VB4 and the other runs VB3.
Reply With Quote
  #2  
Old 05-26-2011, 06:44 PM
Disasterpiece's Avatar
Disasterpiece Disasterpiece is offline
 
Join Date: Apr 2007
Location: GER
Posts: 765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Don't use vars in query-context which can be altered by the user in any way without sanitizing.
This includes $_GET, $_POST, $_COOKIE vars, as well as data which can be loaded from the database.

run $vbulletin->db->escape_string($myVar) on anything and you can be pretty sure that this won't be injected.

//e:

btw, it's a php-related issue and has not really anything to do with vbulletin or the vbulletin version.
Reply With Quote
  #3  
Old 05-26-2011, 09:05 PM
Sarteck's Avatar
Sarteck Sarteck is offline
 
Join Date: Mar 2008
Posts: 304
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

One thing I do (though it doesn't really "protect" anything, it can help) is use the sprintf() function when building my SQL queries.

For example, if you have a PHP line line this:
PHP Code:
$query "SELECT * FROM user WHERE userid=$userid"
Then, depending on what goes into $userid you might possibly be vulnerable. However, if you re-write the query like this, instead:
PHP Code:
$query sprintf("SELECT * FROM user WHERE userid=%d",$userid); 
Then the %d can only be replaced by a number.

As Disasterpiece mentioned, make sure to sanitize all variables that might be used in queries. In fact, it's a good idea to sanitize EVERYTHING except for the ['do'] variables, for the most part.

Use $MyVar = $vbulletin->input->clean_gpc('p', 'MyVar', TYPE_INT); instead of $MyVar = $_POST['MyVar'];, for example.
Reply With Quote
  #4  
Old 05-26-2011, 10:13 PM
|Jordan|'s Avatar
|Jordan| |Jordan| is offline
 
Join Date: Nov 2004
Posts: 479
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What about the tips suggested here, most notably mysql_real_escape_string.
Reply With Quote
  #5  
Old 05-26-2011, 10:22 PM
Disasterpiece's Avatar
Disasterpiece Disasterpiece is offline
 
Join Date: Apr 2007
Location: GER
Posts: 765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yeah, that's what the $vbulletin->db->escape_string() function is for, all along with multiple other functions which sanitize strings for queries.

That's enough for a modder to know if he wants to make his/her modifications safe.
But sadly, as the latest events show, some "coders" aren't even capable of implementing the simplest security routines.

Anyway, I'm not sure where you want to go with your thread. We already know how to prevent SQL queries, modders (should) know and you seem to be informed there as well.
Reply With Quote
  #6  
Old 05-26-2011, 10:28 PM
|Jordan|'s Avatar
|Jordan| |Jordan| is offline
 
Join Date: Nov 2004
Posts: 479
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm trying to be proactive and sanitize the mods myself instead of waiting for either my forum or someone else's to get hacked, wait for a patch or disable the modification.
Reply With Quote
  #7  
Old 05-26-2011, 10:44 PM
Disasterpiece's Avatar
Disasterpiece Disasterpiece is offline
 
Join Date: Apr 2007
Location: GER
Posts: 765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Right.

So the biggest security risks are: SQL Queries, eval() functions and anything which has to do with file operations like fopen(), fread(), file_get_contents(), include(), require(), etc.

When you look through the mods, look out for these areas and check what vars they are using. Then try to track them back where they came from and what has been done with them since they have been defined.
The easiest thing to spot is if they come directly from user-input vars like $_GET, $_POST, $_FILE, $_COOKIE or $_REQUEST, but also from $_SERVER and $_ENV which is NOT safe, altough you might think it. Even HTTP-Referrer and User-Agents can be faked, as well as cookie values.

However, you track these variables back, until you find some functionality which sanitizes them.
For integers, it's quite easy to do, like
PHP Code:
$foo = (int)$var;
$foo intval($var);
$foo sprintf("%d"$var);
$foo 0+$var
etc.
A good but very advanced method of sanitizing strings is regex. It's mostly safe and a good idea to use it, given that you have enough knowledge to actually use it right.
$db->escape_string() works for most strings, it just escapes anything which could mess up the query like quotes, comment-chars, nullbytes, etc.

If you get to the point, where vbulletin functions are used to sanitize gpc vars, you might want to check the includes/class.core.php file, find the vB_gpc class and see what the "clean" vars do, because like the past showed us, not everyone knows what they actually do. Not all of them "clean" a string for usage in queries or evals, they just make according typecast which has nothing to do with security.

If you are unsure weather a mod has a security flaw or not, ask in the forums, PM a staff member or PM me if you like.
Reply With Quote
  #8  
Old 05-26-2011, 11:53 PM
|Jordan|'s Avatar
|Jordan| |Jordan| is offline
 
Join Date: Nov 2004
Posts: 479
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You are a machine!

Thanks for all these tips. If i come up with anything suspicious, ill let everyone know.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:09 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04198 seconds
  • Memory Usage 2,231KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete