AOH :: HP Unsorted W :: BX2644.HTM

Writers Block SQL Injection Vulnerabilities



Writers Block SQL Injection Vulnerabilities
Writers Block SQL Injection Vulnerabilities



[>>] Writer=92s Block SQL Injection Vulnerabilities [<<]


[x] Vendor Information

"If the written word is the wheel, then Writer=92s Block is the sweet, sweet fossil fuel in the
engine that keeps it spinning. A free, flexible, elegant Content Management System that helps
you maintain any web site you want, at any size you want, with no hassle and no restrictions.
In fact, it=92s running this entire site right now."

http://www.desiquintans.com

[x] Attack Information

The variable "PostID" can be filled with malicious content to execute SQL code:

----

permalink.php, line 212:

$getpost = @mysql_query("SELECT Title, Timestamp, Body, PostCat1, PostCat2, PostCat3, PostCat4, Author FROM ".POSTS_TBL." WHERE
  PostID='".$_GET['PostID']."' AND Draft=0");

----

permalink.php, line 298:

$prevlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID<".$_GET['PostID']." AND Draft=0 ORDER BY Timestamp DESC LIMIT 1");

----

permalink.php, line 304:

$nextlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID>".$_GET['PostID']." AND Draft=0 ORDER BY Timestamp ASC LIMIT 1");

----

[x] Exploit

The issue can be exploited through a web browser.

[x] Patch

Just add an intval():

----

permalink.php, line 212:

$getpost = @mysql_query("SELECT Title, Timestamp, Body, PostCat1, PostCat2, PostCat3, PostCat4, Author FROM ".POSTS_TBL." WHERE
  PostID='".intval($_GET['PostID'])."' AND Draft=0");

----

permalink.php, line 298:

$prevlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID<".intval($_GET['PostID'])." AND Draft=0 ORDER BY Timestamp DESC LIMIT 1");

----

permalink.php, line 304:

$nextlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID>".intval($_GET['PostID'])." AND Draft=0 ORDER BY Timestamp ASC LIMIT 1");

----

[x] Credits

The vulnerability has been discovered by katharsis -

www.katharsis.x2.to

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.