Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

SQL Injection vulnerability in bBlog 0.7.3
From: James McGlinn <james () servers co nz>
Date: Fri, 1 Oct 2004 16:05:02 +1200

Servers.co.nz Security Advisory SCN200409-1
Available in HTML format at http://www.servers.co.nz/security/SCN200409-1.php
------------------------------------------------------------

SQL Injection vulnerability in bBlog 0.7.3

Author: James McGlinn, Servers.co.nz Ltd <james_at_servers dot co dot nz>
Discovery Date: September 28, 2004
Package: bBlog
Versions Affected: 0.7.2, 0.7.3
Severity: Severe - a remote user can gain administrative privileges.

------------------------------------------------------------

Problem: There is an SQL Injection vulnerability in versions of bBlog prior to 0.7.3, which can be exploited to gain administrative access if register_globals is enabled on the web server.

Introduction: bBlog is a blogging system written in PHP and released under the GPL. It is used by thousands of bloggers worldwide and has features not found on other blogging systems including advanced comment spam prevention and threaded comments.

Discussion: The array $p is not initialised before being populated and passed to $bBlog->make_post_query() on line 30 of rss.php. In an environment where register_globals is enabled, $p can be introduced to the script with unfiltered elements from user input.

Using a specially crafted URL, POST data or cookie a remote user can gain access to the admin user's access credentials. Exploit withheld at project maintainer's request.

Solution: This issue is fixed as of version 0.7.4. A patch for rss.php of version 0.7.3 is available at the URL below:
http://www.servers.co.nz/security/patches/SCN200409-1/rss.php-patch.txt

------------------------------------------------------------

ABOUT SERVERS.CO.NZ LTD

Servers.co.nz are leaders in the design, implementation & auditing of effective online information systems for SMEs.

Phone: (NZ) 0800 4 SERVERS

------------------------------------------------------------


James McGlinn
Project Manager
BCom, BSc, Zend Certified Engineer (PHP)

Servers.co.nz Ltd
68 Shortland St, Auckland PO Box 3688 Shortland St, Auckland, New Zealand
Phone: 0800 4 SERVERS   Fax: +64 9 358 5187

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • SQL Injection vulnerability in bBlog 0.7.3 James McGlinn (Oct 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault