20-05-2014, 11:29 PM
SUMMARY (if you don't know or care about PHP/SQL development and software licensing): The version of the virtual airline upload
software that I've been using for a few years has some vulnerabilities that could allow someone to access - or wreck - the databases that
contain the flight data, and possibly other databases on the server. I will be fixing these vulnerabilities in my own installation, but I'd really
like to share those updates with the community. However, I don't want to step on any toes and I'm not even sure which version I installed -
it was a while ago.
DETAIL: While auditing some of my personal sites, I discovered that my private virtual airline (only one pilot, me, on a private server) is
vulnerable
to SQL injection attacks. As a specific example, a file called FsPlistflight.php contains the statement:
$query = "SELECT * FROM flights WHERE id=$listflight";
Since the value of $listflight is derived directly from the 'listflight' parameter in the browser, this could very easily allow a malicious person
to insert his own SQL statement into the one that should be run:
$listflight = $_GET['listflight']; // my note: this value, whatever it is, is placed directly into the statement above and executed by the server
Among other things, the code also uses the PHP mysql_query() function, which has been deprecated as unsafe:
http://us3.php.net/mysql_query. I don't mean to imply lazy programming or inattention to security or anything on the part of the developers;
these methods had been accepted for a long time and used in many tutorials until they were proven unsafe and replaced with more
protected methods such as PDO.
I will be rewriting the VA software that I'm using to patch this vulnerability. However, I'd really like to make it available to the community so
that other people don't have to reinvent the wheel. Also, I'd like it if people who aren't able to make those fixes themselves aren't exposed
to attack; I want them to be able to just download the new version and get going safely. I have a few questions/issues to resolve first:
First, I'm not even sure which version of the VA application I'm running (like I said, it was a while ago). My VA directory on my server
contains the files:
1989_FsPadmin_1.5-FIXED.zip
FsPgetflight.php
read me.txt
config_example1.cfg
FsPlistflight.php
SetupGuide.docx
config_example2.cfg
index.html
SetupGuide.txt
FsPadmin
oldFsPlistflight.php
However, when I downloaded a fresh copy of the default importer at http://www.fspassengers.com/forum/showth...hp?tid=825 I
found the files:
action_createtables.php
flights_db_example.gz
setting_form.php
action_writesetting.php
index.php
setting.php
admin.css
left_menu.php
user_admin.php
common.php
login.php
welcome.php
Clearly, the default version and the one I'm running are different, and I haven't yet tracked down which of the enhanced versions I'm
running. Second, neither my version nor the default one include a license file that explicitly allows me to redistribute the code and my
changes to the public (such as the GPL or BSD licenses). I really want to publish my security patches back to the community, but unless I
am granted license by the developer(s), I'm a little hesitant to do so. Finally, I would prefer to host the fixes on a public forum such as
GitHub which allows other people to make their own improvements and contribute them back to the main repository, and which ensures
that if I get whacked by a bus next month, someone else can take over and keep these scripts up to date.
Does anyone have any direction on what my options are here? I'm going to be patching the code on my server, obviously, but is there any
interest in a community-maintained VA upload package? If so, is there one particular codebase that should be the starting point? For that
matter... am I even posting this in the right subforum
Post Edited ( 05-21-14 02:34 )
software that I've been using for a few years has some vulnerabilities that could allow someone to access - or wreck - the databases that
contain the flight data, and possibly other databases on the server. I will be fixing these vulnerabilities in my own installation, but I'd really
like to share those updates with the community. However, I don't want to step on any toes and I'm not even sure which version I installed -
it was a while ago.
DETAIL: While auditing some of my personal sites, I discovered that my private virtual airline (only one pilot, me, on a private server) is
vulnerable
to SQL injection attacks. As a specific example, a file called FsPlistflight.php contains the statement:
$query = "SELECT * FROM flights WHERE id=$listflight";
Since the value of $listflight is derived directly from the 'listflight' parameter in the browser, this could very easily allow a malicious person
to insert his own SQL statement into the one that should be run:
$listflight = $_GET['listflight']; // my note: this value, whatever it is, is placed directly into the statement above and executed by the server
Among other things, the code also uses the PHP mysql_query() function, which has been deprecated as unsafe:
http://us3.php.net/mysql_query. I don't mean to imply lazy programming or inattention to security or anything on the part of the developers;
these methods had been accepted for a long time and used in many tutorials until they were proven unsafe and replaced with more
protected methods such as PDO.
I will be rewriting the VA software that I'm using to patch this vulnerability. However, I'd really like to make it available to the community so
that other people don't have to reinvent the wheel. Also, I'd like it if people who aren't able to make those fixes themselves aren't exposed
to attack; I want them to be able to just download the new version and get going safely. I have a few questions/issues to resolve first:
First, I'm not even sure which version of the VA application I'm running (like I said, it was a while ago). My VA directory on my server
contains the files:
1989_FsPadmin_1.5-FIXED.zip
FsPgetflight.php
read me.txt
config_example1.cfg
FsPlistflight.php
SetupGuide.docx
config_example2.cfg
index.html
SetupGuide.txt
FsPadmin
oldFsPlistflight.php
However, when I downloaded a fresh copy of the default importer at http://www.fspassengers.com/forum/showth...hp?tid=825 I
found the files:
action_createtables.php
flights_db_example.gz
setting_form.php
action_writesetting.php
index.php
setting.php
admin.css
left_menu.php
user_admin.php
common.php
login.php
welcome.php
Clearly, the default version and the one I'm running are different, and I haven't yet tracked down which of the enhanced versions I'm
running. Second, neither my version nor the default one include a license file that explicitly allows me to redistribute the code and my
changes to the public (such as the GPL or BSD licenses). I really want to publish my security patches back to the community, but unless I
am granted license by the developer(s), I'm a little hesitant to do so. Finally, I would prefer to host the fixes on a public forum such as
GitHub which allows other people to make their own improvements and contribute them back to the main repository, and which ensures
that if I get whacked by a bus next month, someone else can take over and keep these scripts up to date.
Does anyone have any direction on what my options are here? I'm going to be patching the code on my server, obviously, but is there any
interest in a community-maintained VA upload package? If so, is there one particular codebase that should be the starting point? For that
matter... am I even posting this in the right subforum
Post Edited ( 05-21-14 02:34 )