SQL Injection vulnerability in bBlog 0.7.3

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SQL Injection vulnerability in bBlog 0.7.3
From: James McGlinn <james@xxxxxxxxxxxxx>
Date: Fri, 1 Oct 2004 16:02:12 +1200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Servers.co.nz Security Advisory SCN200409-1

Available in HTML format athttp://www.servers.co.nz/security/SCN200409-1.php

------------------------------------------------------------

SQL Injection vulnerability in bBlog 0.7.3

Author: James McGlinn, Servers.co.nz Ltd <james_at_servers dot co dotnz>

Discovery Date: September 28, 2004
Package: bBlog
Versions Affected: 0.7.2, 0.7.3
Severity: Severe - a remote user can gain administrative privileges.

------------------------------------------------------------

Problem: There is an SQL Injection vulnerability in versions of bBlogprior to 0.7.3, which can be exploited to gain administrative access ifregister_globals is enabled on the web server.

Introduction: bBlog is a blogging system written in PHP and releasedunder the GPL. It is used by thousands of bloggers worldwide and hasfeatures not found on other blogging systems including advanced commentspam prevention and threaded comments.

Discussion: The array $p is not initialised before being populated andpassed to $bBlog->make_post_query() on line 30 of rss.php. In anenvironment where register_globals is enabled, $p can be introduced tothe script with unfiltered elements from user input.

Using a specially crafted URL, POST data or cookie a remote user cangain access to the admin user's access credentials. Exploit withheld atproject maintainer's request.

Solution: This issue is fixed as of version 0.7.4. A patch for rss.phpof version 0.7.3 is available at the URL below:

http://www.servers.co.nz/security/patches/SCN200409-1/rss.php-patch.txt

------------------------------------------------------------

ABOUT SERVERS.CO.NZ LTD

Servers.co.nz are leaders in the design, implementation & auditing ofeffective online information systems for SMEs.


Phone: (NZ) 0800 4 SERVERS

------------------------------------------------------------


James McGlinn
Project Manager
BCom, BSc, Zend Certified Engineer (PHP)

Servers.co.nz Ltd

68 Shortland St, Auckland PO Box 3688 Shortland St, Auckland, NewZealand

Phone: 0800 4 SERVERS   Fax: +64 9 358 5187

Prev by Date: Multiple Vulnerabilities in AJ-Fork
Next by Date: EEYE: RealPlayer pnen3260.dll Heap Overflow
Previous by thread: Multiple Vulnerabilities in AJ-Fork
Next by thread: EEYE: RealPlayer pnen3260.dll Heap Overflow
Index(es):
- Date
- Thread