Search...

PixelPost 1.7.3 - Multiple POST SQL Injections

2011-02-12T00:00:00

ID EXPLOITPACK:484C9783EFE3F975764530FD28A200DE
Type exploitpack
Reporter LiquidWorm
Modified 2011-02-12T00:00:00

Description

PixelPost 1.7.3 - Multiple POST SQL Injections

                                        
                                            --------------------------------------------------------------------

Pixelpost 1.7.3 Multiple POST Variables SQL Injection Vulnerability

Vendor: Pixelpost.org
Product web page: http://www.pixelpost.org
Affected version: 1.7.3

Summary: Pixelpost is an open-source, standards-compliant, multi-lingual,
fully extensible photoblog application for the web. Anyone who has web-space
that meets the requirements can download and use Pixelpost for free!

Desc: Pixelpost is vulnerable to an SQL Injection attack when input is passed
to several POST parameters (findfid, id, selectfcat, selectfmon, selectftag).
The script (admin/index.php) fails to properly sanitize the input before being
returned to the user allowing the attacker to compromise the entire DB system
and view sensitive information.

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.14 (Win32)
           PHP 5.3.1
           MySQL 5.1.41

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            liquidworm gmail com
                            Zero Science Lab - http://www.zeroscience.mk

Advisory ID: ZSL-2011-4992
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4992.php


03.02.2011

--------------------------------------------------------------------

Vulnerable variables: 

- findfid
- id
- selectfcat
- selectfmon
- selectftag

Example:

POST /pixelpost_v1.7.3/admin/index.php?view=images HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: localhost
Content-Length: 62
Cookie: PHPSESSID=9nqb5cbq1v4si85tidd4gas166;passwordbla=
Connection: Close
Pragma: no-cache

selectfcat=3&selectftag=1&selectfmon=1&findfid=1[SQLi]&findid=Go%21

------

HTTP/1.1 200 OK

You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '' limit 0,1' at line 1.

-------

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:43", "references": [], "description": "\nPixelPost 1.7.3 - Multiple POST SQL Injections", "edition": 1, "reporter": "LiquidWorm", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2011-02-12T00:00:00", "title": "PixelPost 1.7.3 - Multiple POST SQL Injections", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "zeroscience", "idList": ["ZSL-2011-4992"]}]}, "exploitation": null, "vulnersScore": 0.1}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2011-02-12T00:00:00", "id": "EXPLOITPACK:484C9783EFE3F975764530FD28A200DE", "href": "", "viewCount": 3, "sourceData": "--------------------------------------------------------------------\n\nPixelpost 1.7.3 Multiple POST Variables SQL Injection Vulnerability\n\nVendor: Pixelpost.org\nProduct web page: http://www.pixelpost.org\nAffected version: 1.7.3\n\nSummary: Pixelpost is an open-source, standards-compliant, multi-lingual,\nfully extensible photoblog application for the web. Anyone who has web-space\nthat meets the requirements can download and use Pixelpost for free!\n\nDesc: Pixelpost is vulnerable to an SQL Injection attack when input is passed\nto several POST parameters (findfid, id, selectfcat, selectfmon, selectftag).\nThe script (admin/index.php) fails to properly sanitize the input before being\nreturned to the user allowing the attacker to compromise the entire DB system\nand view sensitive information.\n\nTested on: Microsoft Windows XP Professional SP3 (EN)\n Apache 2.2.14 (Win32)\n PHP 5.3.1\n MySQL 5.1.41\n\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\n liquidworm gmail com\n Zero Science Lab - http://www.zeroscience.mk\n\nAdvisory ID: ZSL-2011-4992\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4992.php\n\n\n03.02.2011\n\n--------------------------------------------------------------------\n\nVulnerable variables: \n\n- findfid\n- id\n- selectfcat\n- selectfmon\n- selectftag\n\nExample:\n\nPOST /pixelpost_v1.7.3/admin/index.php?view=images HTTP/1.0\nAccept: */*\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\nHost: localhost\nContent-Length: 62\nCookie: PHPSESSID=9nqb5cbq1v4si85tidd4gas166;passwordbla=\nConnection: Close\nPragma: no-cache\n\nselectfcat=3&selectftag=1&selectfmon=1&findfid=1[SQLi]&findid=Go%21\n\n------\n\nHTTP/1.1 200 OK\n\nYou have an error in your SQL syntax; check the manual that corresponds to your\nMySQL server version for the right syntax to use near '' limit 0,1' at line 1.\n\n-------", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645834798}}