myBloggie login.php username Variable Null Character SQL Injection

2005-10-01T01:32:00
ID OSVDB:19935
Type osvdb
Reporter rgod(retrogod@aliceposta.it)
Modified 2005-10-01T01:32:00

Description

Vulnerability Description

myBloggie contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the login.php script not properly sanitizing user-supplied input beginning with a null character to the 'username' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Technical Description

Steven M. Christey (CVE) points out this is essentially the same vulnerability as previously discovered (OSVDB 19218), but incorrectly fixed. The source code shows:

     // Security precaution - sean 03 sep 2005

[!] if(ereg('[^A-Za-z0-9_]', $username)){

This is the attempted fix for the previous injection, but does not fully mitigate the issue. rgod's subsequent find is really an interaction error / null character problem that, in this case, happens to have resultant SQL injection.

This vulnerability is only present when the magic_quotes_gpc PHP option is 'off'.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

myBloggie contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the login.php script not properly sanitizing user-supplied input beginning with a null character to the 'username' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor URL: http://www.mywebland.com/ Security Tracker: 1014995 Related OSVDB ID: 19218 Other Advisory URL: http://rgod.altervista.org/mybloggie213b.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0368.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-12/0126.html CVE-2005-3153 CVE-2005-3362