ADZ Security Team =================== Info Program: serentdipity web blog system Version: 0.8beta4 Module: exit.php Bug type: SQL Injection Vendor site: http://www.s9y.org/ Vendor Informed: Yes =================== Bug Info // code start //....... $links = serendipity_db_query("SELECT link FROM {$serendipity['dbPrefix']}references WHERE id = {$_GET['url_id']} AND entry_id = {$_GET['entry_id']}", true); //....... // no checks here... //....... if (is_array($links) && isset($links['link'])) { // URL is valid. Track it. $url = $links['link']; } //...... if (serendipity_isResponseClean($url)) { header('HTTP/1.0 301 Moved Permanently'); header('Location: ' . $url); } //...... // code end As we see, if we insert some "bad" sql-code into $_GET['url_id'] or $_GET['entry_id'], server returns in header "Location: xxxx", where is possible to be an account login/passwd hash :) Sorry my english :) Exploit/PoC: See exploit in attached adz_serendipity.pl =================== Contact ADZ Security Team URL: http://adz.void.ru/ IRC: #adz @ QuakeNet MAIL: kre0n@xxxxxxx, adz.kreon@xxxxxxxxx (for non-russian users)
Attachment:
adz_serendipity.pl
Description: Binary data