by r0t,der4444,cembo,VietMafia

Monday, December 05, 2005

Blog System v1.2 SQL inj. vuln.

Blog System v1.2 SQL inj. vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.netartmedia.net/blogsystem/
affected version:v1.2 and prior

Product Description:
Blog System allows you to launch and run powerful blog portals and your own weblog hosting service or simply integrate blog functionality to your existing website. The system offers rich functionality for the blog users to update their blogs (add notes, comments, upload pictures and create photo albums, upload audio and video files and many others) and for the administrators to monitor and control the whole system (monitor the users, the space occupied and the bandwidth of the blogs, manage the website structure and content with a powerful CMS and many others). Blog System is a reliable blog software product which comes with an easy customizable template based front site and blog administration space. In order to run a blog portal with it, you don't need your own server or virtual server but just an ordinary hosting package supporting PHP and MySQL. We offer flexible payment schemes and free customization of the blog portal front site in order that it matches the best your needs.

Vuln. Description:
Input passed to the "cat" parameter in "index.php" and "note" parameter in "blog.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/blog.php?user=r0t¬e=[SQL]
/index.php?mode=home&cat=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

7 Comments:

Anonymous Anonymous told...

Wow, thanks for totally ripping my post on bugtraq. Noob.
http://www.securityfocus.com/archive/1/418640

11:45 PM

 
Blogger r0t told...

fuck off ripper!

5:48 AM

 
Anonymous Anonymous told...

stupid lamer steal info from your blog and post in bugtraq as his found.

3:00 PM

 
Anonymous Anonymous told...

These are bull shits!!!!!

try it for yourself ... (for example www.blog23.com is a website running Blog System v1.2)

http://www.blog23.com/blog.php?user=r0t¬e=[SQL]
http://www.blog23.com//index.php?mode=home&cat=[SQL]

4:51 PM

 
Anonymous Anonymous told...

change "r0t" for existing member name . it was already tested on blog23.com

5:27 PM

 
Anonymous Anonymous told...

Even if such problems existed, it seems that everything is ok now ...

6:37 PM

 
Blogger r0t told...

vipsta i checked your report , ok i will say you have some hours faster reported in securityfocus that bug , report and publish time you must know.
So from same vendor at that time i was posted another advisory, to post other people advisories i dont have time and will.
Those couple minutes at day what i have free i test some webaplications and then post my reports here.
About Securityfocus i never sent them any of my reports when you will look at time in Securityfocus .. it will be time when somebody of sec.focus guys had found here my report and published there.

And if you think that you are l33t , than you are dumb lammer and thats all.

9:12 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew