hello!
recently i bought yasaka's auth plugin, link:
https://community.mybb.com/thread-229320.html
the seller never reply, always offline, anyway. after i bought i installed it..
how the auth plugin works?
a user can generate a auth key and authenticate some softwares..
and to check the auth key if it's working you need enter this url: example.com/auth.php?action=checkauth&auth={HERE_THE_AUTH_KEY}
so
example.com/auth.php?action=checkauth&auth=23523235252
and i just wanted see what will happens if i add a ' in the end of url, if i get a sql error or not, and yes i got sql error:
MyBB has experienced an internal SQL error and cannot continue.
SQL Error:
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1
Query:
SELECT COUNT(authcode) as authkey FROM `mybb_auth` WHERE `authcode`='1''
so this is a sqli error which could cause me many high problems, i would like get some help but the user never replies i don't know what to do in this case.
Thanks in advance for any help it's highly appreciated!
Regards,
Regorce
Thats a paid plugin.
If you can copy-paste the line causing error here we can try help further ...
Looks like wrong repeated single quote usage causing it.
(2021-02-03, 11:03 AM)effone Wrote: [ -> ]Thats a paid plugin.
If you can copy-paste the line causing error here we can try help further ...
Looks like wrong repeated single quote usage causing it.
thanks for your fast reply! i sent you the code in pm's
The value of authcode should not even be in quotes at all if it is supposed to be a numeric value. If STRICT_MODE is on, that can cause an error, although that would be a separate error from what is causing your issue.
The line with the code should look like this
$query = $db->simple_select("auth", "COUNT(authcode) as authkey", "authcode=" . $mybb->get_input("auth", MyBB::INPUT_INT));
Based on your post, it also seems as though it was vulnerable to SQL injection via url manipulation. This edit that I made addresses that. If the value of authcode is suppose to be a string, use the code below instead:
$query = $db->simple_select("auth", "COUNT(authcode) as authkey", "authcode='" . $db->escape_string($mybb->get_input('auth')) . "'");
I sent you back a reply that should fix these issues. I found 6 SQL Injection spots.
This is a very good find @DragonExpert.
And I might add @Regorce, I say this as a fellow plugin developer (along with Dragonexpert, who is more experienced than I). SQL injection vulnerabilities are very serious, he is correct. They are a gauranteed back door to your website. It's also very easy for the programmer to prevent them. So if the developer left
several SQL injection vulnerabilities in a paid plugin, it's because the programmer was lazy. There is no excuse for this.
Just protect yourself and your website as best you can. I'd take this plugin down immediately, along with any others from the same website if you have any. I don't think this plugin developer can be trusted. If it's absolutely necessary to keep, make sure to apply Dragonexpert's fixes immediately to prevent any possible breach.
Best regards, and stay safe
-Darth Apple
(2021-02-05, 04:56 AM)Darth Apple Wrote: [ -> ]This is a very good find @DragonExpert.
And I might add @Regorce, I say this as a fellow plugin developer (along with Dragonexpert, who is more experienced than I). SQL injection vulnerabilities are very serious, he is correct. They are a gauranteed back door to your website. It's also very easy for the programmer to prevent them. So if the developer left several SQL injection vulnerabilities in a paid plugin, it's because the programmer was lazy. There is no excuse for this.
Just protect yourself and your website as best you can. I'd take this plugin down immediately, along with any others from the same website if you have any. I don't think this plugin developer can be trusted. If it's absolutely necessary to keep, make sure to apply Dragonexpert's fixes immediately to prevent any possible breach.
Best regards, and stay safe
-Darth Apple
Thanks sir for your quality reply, honestly i wansn't expecting a such error on a paid plugin, when i tried see if it's vulnerable to sql injections i was just curious i'm ngl i tried almost on every site so if there is a sql injection i report it to the site owner, so i added the { ' } in end of the url and yeah a error pop up, also i would like advice everyone seeing this thread don't buy the plugin for many reasons such as there are some issues with users who has access to the auth, the sqli, some errors in the code and especially the owner of the plugin who don't care about his customers and don't help them when he get paid, but here comes this awesome community who help for free, like @
[b]dragonexpert did and now it's working perfectly, thanks once again!
-Regorce[/b]
The problem in here is that users pay to multiple programmers for a cheap prices.
I have reviewed many plugins for users for free and paid. But many paid plugins has a vulnerable sql injections or security issues aswell, i have sent the new files / changes to plugins authors multiple times and the same for paid works to only customers due some times they have asked me for new addons. But it is imposible to cover / review all source code and more.
But for first i always sugest to review their free product to see quality of products at least i do better code implementations on premium works / paid ones but paid are exclusive an make it from scratch every time i do a new job. To prevent users have the same work, maybe similar due i wrote all the code, but it's better for me to do that. So it is not only customer fault but developers too. Because sql injections are a priority when you write a new project, maybe some issues or bugs can appear due several reasons but we have to fix and write better code with knowledge and experience but it's hard to mantain it and on updates of system multiple times we need to recode some sections, at least i try to keep up to date all my projects on every new released version.
But even so we as programmers can not us extends sections as we have to. To remove, efit old / deprecated codes, many times we ask for a staff review and as far as i see it is not possible to review it all, so you have to keep your own trustedwortly guys to pay for a new mod or whatever.
But to cover it all, even free are too complicated, and Premium or paid can't be reviewed by any members.
I didn't notice this thread on time, till now that I stumped upon a related issue, just not necessarily involving the same afore mentioned developer or plugin. I will quote two strips I liked from above.
(2021-02-05, 04:56 AM)Darth Apple Wrote: [ -> ][...] SQL injection vulnerabilities are very serious, he is correct. They are a gauranteed back door to your website. It's also very easy for the programmer to prevent them. So if the developer left several SQL injection vulnerabilities in a paid plugin, it's because the programmer was lazy. There is no excuse for this. [...]
(2021-02-05, 03:58 PM)Whiteneo Wrote: [ -> ][...] To prevent users have the same work, maybe similar due i wrote all the code, but it's better for me to do that. So it is not only customer fault but developers too. Because sql injections are a priority when you write a new project, [...]
Anyone should be wary when paying for stuff that is supposed to remain private, because vulnerabilities in private projects are usually harder to find, and once found it might be possible to stay like that for long periods of time.
Also note, that doing some
review on project, even small ones, could ultimately be as expensive, if not more, than what the project was paid for.
Let it be $ 10 usd, or $ 1,000 usd projects, don't blindly trust any developer just like that.