<<< Date Index >>>     <<< Thread Index >>>

[KAPDA::#32] - d2kBlog 1.0.3 Multiple Vulnerabilities



KAPDA New advisory

Vulnerable products : d2kBlog <= 1.0.3
Vendor: http://www.d2ksoft.com/
Risk: Medium
Vulnerabilities: SQL_Injection , Script Insertion

Date :
--------------------
Found : 2006/01/01
Vendor Contacted : 2006/01/02
Release Date : 2006/03/08

About D2KBlog :
--------------------
Free, open-sourced, full featured asp+access blog .

Vulnerability:
--------------------
SQL_Injection:
Input passed to the "memName" parameter in 'profile.asp' via the cookie is not 
properly sanitised before being used in a SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation extracts username and password of administrator.
Script Insertion:
Input passed to the "msg" field in 'default.asp' isn't properly sanitised 
before being used. This can be exploited to inject arbitrary HTML and script 
code, which will be executed in a user's browser session in context of an 
affected site when the malicious user data is viewed.

Proof of Concepts:
--------------------
SQL_Injection :
Cookie : memName=[SQL_Injection]

Script Insertion :
Default.asp , POST : 
name=KAPDA&email=KAPDA&msg=<script>alert("XSS")</script>&submit=Send+Message

Solution:
--------------------
No patch`s released yet by vendor.
Vendor`s contacted about two months ago.

Original Advisory:
--------------------
http://www.kapda.ir/advisory-287.html
Perl PoC : http://www.kapda.ir/attach-1453-d2kblog.txt

Credit :
--------------------
FarhadKey of KAPDA
DevilBox of KAPDA
farhadkey [at} kapda.ir
devil_box [at} kapda.ir
Kapda - Security Science Researchers Insitute of Iran
http://www.KAPDA.ir