[Full-disclosure] Remote Sql Injection in EasyMoblog 0.5.1 # 2

Fri, 02 Feb 2007 02:05:43 -0800 

Original Advisory Can Be Found at
www.zion-security.com -> [advisories].


--
Thanks in advance,
Tal Argoni,CEH
www.zion-security.com

                                                                                
                                                                                
                                                                                
             
·= Security Advisory =·

Issue: Sql injection Vulnerability in EasyMoblog by Umberto Caldera.
Discovered Date: 30/01/07
Author: Tal Argoni, LegendaryZion. [talargoni at gmail.com]
Product Vendor: http://sourceforge.net/project/showfiles.php?group_id=88633
Ver: easymoblog-0.5.1
Details:

EasyMoblog is prone to a Sql Injection Vulnerability.
The vulnerability exists in comment_add function, caused by the lack of
Input Validation/Filtering of quotation and malicious characters
in the GET parameter "i" OR in the POST parameter "post_id".

The use of post_details function is done by "add_comment.php"
that exist in "libraries.inc.php".


Contents of libraries.inc.php:
---------------------------------
...

function comment_add ($comment) { .....


   $query = "
            insert into       ".CFG_MYSQL_TABPREFIX."comments
            
(comment_author,comment_author_email,comment_text,comment_added,post_id)
            values (
                     '".addslashes($comment['comment_author'])."',
                     '".addslashes($comment['comment_author_email'])."',
                     '".addslashes($comment['comment_text'])."',
                     '".time()."',
                     '".$comment['post_id']."'
            )
   ";
   $res = mysql_query($query);

...

Contents of add_comment.php:
---------------------------------
...

$form['post_id'] = '';
if(isset($_POST['post_id']))                    $form['post_id'] = 
$_POST['post_id'];
elseif(isset($_GET['i']))                       $form['post_id'] = $_GET['i'];
else                                            exit(); 
.........

   if (count($errors) == 0) {
      $comment = $form;
      
      $comment = comment_add ($comment);
      Header ("Location: list_comments.php?i=".$comment['post_id']);
      exit();
...




Exploitation URL:
http://www.example.com/easymoblog/add_comment.php?i='[SQL]

Successful exploitation may allow execution of Sql code. 
This could also be exploited to get the passwords, users
and a lot of informaion, commit Denial Of Service attacks and more...

Proof Of Concept:
http://www.example.com/easymoblog/add_comment.php?i='[SQL]



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to