Php & code injection

Question

The website for a client of mine continues to be "hacked" (I didn't do the website).The hacked pages contain a js script that loads an image and audio from youtube (Lol). Every page was modified and every page has a "news banner" .I'm pretty sure the problem is this part

    <?php 
$ul = new NewsList; 
$ul->Load(3); 
if($ul->Current() == null){ ?> 
<?php   } 
else{ 
for(; $ul->Current() != null; $ul->Next()){ 
$new = $ul->Current(); 

the complete implementation of this NewsList : http://pastebin.com/WuWjcJ4p

I'm not a php programmer so I don't get where the problem is....I'm not asking that someone going to explain every line, maybe only an advice , thank you

Answer 1

Sounds like an SQL injection.

I believe the loadById() method is injectable (depending on how you call it).

Here is a way to strengthen it :

    function LoadById($id){
            $this->news = array();
            $this->current = 0;
            $this->total = 0;

            $ndb = new NewsDB('news');
            $result = $ndb->_query("SELECT * FROM ".$ndb->table." WHERE id = " . intval($id));
            $new = mysql_fetch_assoc($result);
            $n = new News($new['id'], $new['titolo'], $new['data'], $new['contenuto'], $new['img']);
            array_push($this->news, $n);
            unset($n);

            $this->total = 1;
    }

Someone might have stolen the passwords from administration using this security flaw and edited the articles from the back-office.

So I suggest you change this code, then change the passwords, delete all php sessions, and finally edit your articles to remove this "news banner".

Note that it might as well be a stored XSS. Do you have a system which allows to comment the news?