Bug: WheatBlog 1.1 RFI/SQL Injection ( Ascii Version )
Search:
WLB2

CVE WLB2

WLB2.ORG
Full List
Bugs
Bogus
Tricks
Exploits
CVEMAP.ORG
Full List
Vendors
Products
Tools
CWE Dictionary
Dorks List
cIFrex
Search
Bugtraq
CVEMAP
CVE Id
CWE Id
RSS
Full List
Bugs
Exploits
Dorks
Information
Add note
About
Submit

To add a note,

use this form

or send email to

submit@cxsec.org
Social

TwitterFacebook
WheatBlog 1.1 RFI/SQL Injection

Published
Credit
Risk
2007.07.06
E.Minaev
High
CWE
CVE
Local
Remote
CWE-89
CVE-2007-3557
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

Found by E.Minaev (underwater (at) itdefence (dot) ru [email concealed])
ITDefence.ru

1) SQL Injection in login function. With help of this injection is possible to make per-symbol brute of tables names of
blog's database (magic_quotes_gpc should be tured off).

------------------------------------------
"$sql = "select * from $tblUsers where login = '$login'";
if ( $login != $row['login'] ) $valid_user = 0;
if ( $password != $row['password'] ) $valid_user = 0;"
------------------------------------------

2) Remote File Inclusion (RFI)
/includes/sessions.php?wb_class_dir=shell?

ASCII VERSION
Copyright 2013, cxsecurity.com
 Ascii Version