security advisory: Plogger Photo Gallery SQL Injection
Plogger is an open source PHP photo gallery with over two years of development and more than 50,000 downloads. The Plogger web site (http://www.plogger.org), describes the application as a fully featured photo sharing package with an attractive and easy to use administrative interface.
It was found that insufficient validation was applied to the input parameters of the script that generates Plogger's RSS feeds. As a result, SQL code could be injected into Plogger database queries (read the security advisory - mirror #1, mirror #2).
update: this vulnerability has been assigned the following CVE number: CVE-2007-6587.
The vulnerability results from the following PHP code:-
//...
$id = isset($_GET["id"]) ? $_GET["id"] : "";
//...As can be observed, the value of the id parameter is fetched and no input validation is performed. This value is then passed to another function that includes it as part of a database query.
Further investigation revealed that the injected code would be executed in two separate SQL queries:-
Query 1
SELECT COUNT(DISTINCT p.`id`) AS cnt FROM `plogger_pictures` `p` LEFT JOIN `plogger_comments` `c` ON `p`.`id`=`c`.`parent_id` WHERE p.`parent_collection` = [injected code]
Query 1
SELECT p.*, UNIX_TIMESTAMP(`date_submitted`) AS `unix_date_submitted`, UNIX_TIMESTAMP(`EXIF_date_taken`) AS `unix_exif_date_taken`, COUNT(`comment`) AS `num_comments` FROM `plogger_pictures` `p` LEFT JOIN `plogger_comments` `c` ON `p`.`id`=`c`.`parent_id` WHERE p.`parent_collection` = [injected code] GROUP BY p.`id` ORDER BY `id` DESC,p.`id` DESC LIMIT 0,15
These two statements are completely different and although it is possible that an SQLstatement could be found that would fit both and would deliver the desired output in-band, other techniques were found to be more appropriate in this case.
Exploit Information
Depending on the injected code, the server will return an error from either the first or the second query, or the queries will execute cleanly with no errors at all. This is an ideal scenario for SQL Injection inference attacks.
Source code inspection revealed that the first query is used to gather the number of images available in the database. This can be used to craft an exploit by inspecting interesting fields in the database and altering the script output depending on these values. For example, the results of the first query could be arranged to contain either a zero or the real number of available images. This, of course, would affect the output of the script. In one case, the RSS feed would contain no images, in the other, it would contain the correct number.
Recommendations
This issue was addressed in the changeset 489. It is recommended that all installations of the software be upgraded to the secure version now available from the vendor's site. However as an interim workaround the source code of plog-rss.php (line 103) could be patched like this:
//...
$id = isset($_GET["id"]) ? intval($_GET["id"]) : "";
//...To reduce the level of risk to which users of the software are exposed it is further advised that the application be run under a database user account with the lowest level of privilege possible.
Popularity: 3% [?]
