Bugtraq mailing list archives
Advisory: Eggblog <= 3.x Multiple Remote Vulnerabilities
From: Mustafa Can Bjorn IPEKCI <nukedx () nukedx com>
Date: Sun, 28 May 2006 17:01:10 +0300
--Security Report-- Advisory: Eggblog <= 3.x Multiple Remote Vulnerabilities --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 27/05/06 06:15 PM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx () nukedx com Web: http://www.nukedx.com } --- Vendor: Eggblog (http://www.eggblog.net/) Version: 3.0.6 and prior versions must be affected.About: Via this method remote attacker can inject arbitrary SQL queries to Eggblog.This SQL injection works with Eggblog version 3.0.6 and below.The problem is that id parameter id rss/posts.php did not sanitized properly before using it in SQL query.This caused to remote attacker inject arbitrary SQL queries and execute them.This SQL injection needs
magic_quotes_gpc off.There is another problem in Eggblog 2.x.In registration member register status did not sanitized properly.This caused to remote attacker "register new member" as a admin nick and get administration privileges on Eggblog.
Level: Critical --- How&Example: GET -> http://[site]/[EggBlog]/rss/posts.php?id=SQLEXAMPLE -> http://[site]/[EggBlog]/rss/posts.php?id=1'/**/UNION/**/SELECT/**/0,concat('Username:%20',username),
concat('Password:%20',password)/**/from/**/eggblog_members/*POST/EXAMPLE -> http://[site]/[EggBlog]/home/register.php?username=victim&password=password&email=e () mail com&ref=
-- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=36 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=36
Current thread:
- Advisory: Eggblog <= 3.x Multiple Remote Vulnerabilities Mustafa Can Bjorn IPEKCI (May 29)