Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

gregarius-sql.txt

🗓️ 29 Jul 2008 00:00:00Reported by James BercegayType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Gregarius <= 0.5.4 SQL Injection allows unauthorized access to admin credentials and database content. Users advised to update immediately

Code
`##########################################################  
# GulfTech Security Research July 29, 2008  
##########################################################  
# Vendor : Marco Bonetti  
# URL : http://www.gregarius.net/  
# Version : Gregarius <= 0.5.4  
# Risk : SQL Injection  
##########################################################  
  
  
Description:  
Gregarius is a popular web-based RSS/RDF/ATOM feed aggregator  
written in php. There are some SQL Injection issues in Gregarius  
that allow for the disclosure of database contents and ultimately  
the complete compromise of the Gregarius installation via exposed  
admin credentials. It is advised that Gregarius users update their  
gregarius installations as soon as possible.  
  
  
  
SQL Injection:  
Gregarius contains a number of SQL Injection issues that allow for  
an attacker to expose admin credentials with no kind of authentication  
needed. Lets have a look at the following code taken from /ajax.php  
  
  
function __exp__getFeedContent($cid) {  
ob_start();  
rss_require('cls/items.php');  
  
$readItems = new ItemList();  
  
$readItems -> populate(" not(i.unread & ". RSS_MODE_UNREAD_STATE .")  
and i.cid= $cid", "", 0, 2, ITEM_SORT_HINT_READ);  
$readItems -> setTitle(LBL_H2_RECENT_ITEMS);  
$readItems -> setRenderOptions(IL_TITLE_NO_ESCAPE);  
foreach ($readItems -> feeds[0] -> items as $item) {  
$item -> render();  
}  
$c = ob_get_contents();  
  
ob_end_clean();  
return "$cid|@|$c";  
}  
  
  
The above function is called by sajax_handle_client_request() and  
allows for an attacker to specify the content of $cid via the rsargs[]  
array. This being the case an attacker is able to influence the query  
regardless of magic_quotes_gps settings etc.  
  
/ajax.php?rs=__exp__getFeedContent&rsargs[]=-99 UNION SELECT concat(  
char(58),uname,char(58),password),2,3,4,5,6,7,8,9,0,1,2,3 FROM users/*  
  
The above query would successfully dump the users table to the browser.  
The password hashes in the database are md5 encrypted, but an attacker  
only need to md5 encrypt that password hash and place it in a cookie   
with the format of user|hash to gain access to the administrative controls.  
  
  
  
Solution:  
The Gregarius developers have been made aware of this issue, and users  
are encouraged to upgrade as soon as possible.  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00119-07302008  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jul 2008 00:00Current
7.4High risk
Vulners AI Score7.4
gregariussql injectionunauthorized accessupdate requiredgulftech security
23