Date: Mon, 17 Apr 2006 05:11:13 -0700 (PDT)
From: h e <het_ebadi@yahoo.com.>
Subject: blur6ex Local File Inclusion and SQL injection .
To: [email protected],
"[email protected]" <bugs@securitytracker.com.>,
"[email protected]" <bugtraq@securityfocus.com.>,
"[email protected]" <content-editor@securityfocus.com.>,
"[email protected]" <editor@securityfocus.com.>,
"[email protected]" <expert@securiteam.com.>,
"[email protected]" <news-editor@securityfocus.com.>,
"[email protected]" <vuldb@securityfocus.com.>,
"[email protected]" <vuln@secunia.com.>,
"[email protected]" <webmaster@secunia.com.>,
"[email protected]" <webmaster@securityfocus.com.>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: antivirus-gw at tyumen.ru
blur6ex Local File Inclusion and SQL injection .
A blog and simple content engine. Supports many
features found in larger systems
such as CSS layouts, RSS feeds, comments, trackbacks,
categories, archives, drafts, searching
MMS posting, and a multi-user permissions system.
Still in development and a little rough around the
edges.
The codebase is hackable, though, and hobbyists or
those knowing a little PHP will find it quite
customizable.
http://www.blursoft.com
Credit:
The information has been provided by Hamid Ebadi
( Hamid Network Security Team) : admin[at]hamid[dot]ir
.
The original article can be found at :
http://www.hamid.ir/security
Vulnerable Systems:
Version: 0.3.462 (and below)
Local file inclusion :
Input passed to the "shard" parameter in "index.php"
isn't properly verified, before it is used to include
files.
This can be exploited to include/see arbitrary files
from local resources.
The following URL will cause local file inclusion:
http://localhost/blur6ex-0.3.462/index.php?shard=/../../../../../[local-file]%00
Successful exploitation requires that
"magic_quotes_gpc" is disabled.
SQL injection :
Input passed to the "searchterm" and "ID" parameters
in "index.php" isn't properly sanitised before being
used in a SQL query.
This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
Cross-Site Scripting (XSS :
Input passed to the "shard" and "errormsg" parameter
in index.php is not properly sanitised before being
returned to the user.
This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of
an affected site.
http://localhost/blur6ex-0.3.462/index.php?shard=<script>alert(document.cookie)</script>
http://localhost/blur6ex-0.3.462/index.php?shard=login&action=g_error&errormsg=<script>alert(document.cookie)</script>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com