From: Steven M. Christey <coley@mitre.org>
Date: Fri, 13 Jan 2006 18:38:02 -0500 (EST)
Subject: [VIM] Verified TankLogger SQl inject by source inspection

re: http://evuln.com/vulns/26/description.html (CVE forthcoming)

By source inspection of TankLogger 2.4, I was able to verify the
livestock_id vector and found something related to tank_id.

********

first: researcher mentions general_functions.php but this doesn't seem
to be relevant, at least not to the vectors I examined.

second: researcher mentions showInfo.php but it doesn't have tank_id
in it at all.


1) getVar() in general_functions.php will perform an addslashes() on
   the value *only* if an optional second argument is true (default is
   false).

2) from showInfo.php:

  $livestock_id = getVar("livestock_id");
  if ($livestock_id != "") {
     $livestock = new Livestock($mysql_object, $livestock_id);

3) So, $livestock_id does NOT have an addslashes.

4) Livestock.php has the following:

    function Livestock($mysql_object, $livestock_id) {

      $query = "SELECT livestock_id, purchased_from, common_name, scientific_name, date_added, tank_id, pet_name, vendor_id,  
                DATE_FORMAT(date_added, '%M %D, %Y') AS ts FROM livestock WHERE livestock_id = '$livestock_id'";

5) Therefore since there's no addslashes, the code in #2 allows SQL
   injection.


**********

The researcher also mentions tank_id.  There was no mention of it in
general_functions.php or showInfo.php.  However, livestock.php uses a
tank_id that appears vulnerable to SQL injection in a manner similar
to livestock_id, i.e.:

- getVar without "true" second argument

- creation of Tank object with attacker-controlled tank_id

- Tank create method feeds tank_id directly into SQL query