[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Remote Sql Injection in EasyMoblog 0.5.1

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Remote Sql Injection in EasyMoblog 0.5.1
From: "tal argoni" <talargoni@xxxxxxxxx>
Date: Thu, 1 Feb 2007 20:08:03 +0200

Original Advisory Can Be Found at
www.zion-security.com -> [advisories].

--
Thanks in advance,
Tal Argoni,CEH
www.zion-security.com

                                                                                
                                                                                
                                                                                
             
·= Security Advisory =·

Issue: Sql injection Vulnerability in EasyMoblog by Umberto Caldera.
Discovered Date: 30/01/07
Author: Tal Argoni, LegendaryZion. [talargoni at gmail.com]
Product Vendor: http://sourceforge.net/project/showfiles.php?group_id=88633
Ver: easymoblog-0.5.1
Details:

EasyMoblog is prone to a Sql Injection Vulnerability.
The vulnerability exists in post_details function, caused by the 
lack of Input Validation/Filtering of quotation and malicious 
characters in the GET parameter "i".

The use of post_details function is done by "list_comments.php"
that exist in "libraries.inc.php".




Contents of libraries.inc.php:
---------------------------------
...

function post_details ($post_id) {
   if (CFG_USE_PATH_INFO == 'no')
      $iisbug = '?';
   else
      $iisbug = '';

   $query = "
            select      p.*, count(c.post_id) as post_comments, 
count(tr.post_id) as post_trackback_pings, t.topic_name, 
concat(t.img_id,'.',i.img_extension) as topic_img
            from        ".CFG_MYSQL_TABPREFIX."posts p
            left join   ".CFG_MYSQL_TABPREFIX."comments c
            on          p.post_id = c.post_id
            left join   ".CFG_MYSQL_TABPREFIX."trackback_pings tr
            on          p.post_id = tr.post_id
            left join   ".CFG_MYSQL_TABPREFIX."topics t
            on          p.topic_id = t.topic_id
            left join   ".CFG_MYSQL_TABPREFIX."images i
            on          t.img_id = i.img_id
            where       p.post_id = '".$post_id."'
            group by    p.post_id
   ";
   $res = mysql_query($query);

...

Contents of list_comments.php:
---------------------------------
...

$post_id = '';
if (isset($_GET['i']))    $post_id = $_GET['i'];

$post = post_details ($post_id);
...




Exploitation URL:
http://www.example.com/easymoblog/list_comments.php?i='[SQL]

Successful exploitation may allow execution of Sql code. 
This could also be exploited to get the passwords, users,
and a lot of informaion, commit Denial Of Service attacks and more...

Proof Of Concept:
http://www.example.com/easymoblog/list_comments.php?i='[SQL]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Xss Vulnerability in EasyMoblog 0.5.1
Next by Date: [Full-disclosure] Hushmail from Valdis.Kletnieks@xxxxxx
Previous by thread: [Full-disclosure] Xss Vulnerability in EasyMoblog 0.5.1
Next by thread: [Full-disclosure] [TAUSEC] Next meeting of TAUSEC on Feb 11, 6 P.M
Index(es):
- Date
- Thread