Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Sql_Vulnerability_EasymoBlog.txt

๐Ÿ—“๏ธย 06 Feb 2007ย 00:00:00Reported byย Tal ArgoniTypeย 
packetstorm
ย packetstorm๐Ÿ”—ย packetstormsecurity.com๐Ÿ‘ย 40ย Views

Sql injection Vulnerability in EasyMoblog by Umberto Caldera. Lack of Input Validation/Filtering in post_details function

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`   
ยท= Security Advisory =ยท  
  
Issue: Sql injection Vulnerability in EasyMoblog by Umberto Caldera.  
Discovered Date: 30/01/07  
Author: Tal Argoni, LegendaryZion. [talargoni at gmail.com]  
Product Vendor: http://sourceforge.net/project/showfiles.php?group_id=88633  
Ver: easymoblog-0.5.1  
Details:  
  
EasyMoblog is prone to a Sql Injection Vulnerability.  
The vulnerability exists in post_details function, caused by the   
lack of Input Validation/Filtering of quotation and malicious   
characters in the GET parameter "i".  
  
The use of post_details function is done by "list_comments.php"  
that exist in "libraries.inc.php".  
  
  
  
  
Contents of libraries.inc.php:  
---------------------------------  
...  
  
function post_details ($post_id) {  
if (CFG_USE_PATH_INFO == 'no')  
$iisbug = '?';  
else  
$iisbug = '';  
  
$query = "  
select p.*, count(c.post_id) as post_comments, count(tr.post_id) as post_trackback_pings, t.topic_name, concat(t.img_id,'.',i.img_extension) as topic_img  
from ".CFG_MYSQL_TABPREFIX."posts p  
left join ".CFG_MYSQL_TABPREFIX."comments c  
on p.post_id = c.post_id  
left join ".CFG_MYSQL_TABPREFIX."trackback_pings tr  
on p.post_id = tr.post_id  
left join ".CFG_MYSQL_TABPREFIX."topics t  
on p.topic_id = t.topic_id  
left join ".CFG_MYSQL_TABPREFIX."images i  
on t.img_id = i.img_id  
where p.post_id = '".$post_id."'  
group by p.post_id  
";  
$res = mysql_query($query);  
  
...  
  
Contents of list_comments.php:  
---------------------------------  
...  
  
$post_id = '';  
if (isset($_GET['i'])) $post_id = $_GET['i'];  
  
$post = post_details ($post_id);  
...  
  
  
  
  
Exploitation URL:  
http://www.example.com/easymoblog/list_comments.php?i='[SQL]  
  
Successful exploitation may allow execution of Sql code.   
This could also be exploited to get the passwords, users,  
and a lot of informaion, commit Denial Of Service attacks and more...  
  
Proof Of Concept:  
http://www.example.com/easymoblog/list_comments.php?i='[SQL]  
  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contactย us for a demo andย discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
06 Feb 2007 00:00Current
7.4High risk
Vulners AI Score7.4
easymoblogsql injectioninput validation/filteringumberto calderalist_comments.phpexploitation urlproof of conceptdenial of servicelegendaryzionsql codeinformation securityvulnerabilitysourceforgepasswords.
40
.json
Report