EasyMoblog version 0.5.1 suffers from another SQL injection vulnerability. Details provided.
e7290bd738849c3b7fdd17d859d2ca260504c556b0813e946fc41060084d6492
·= Security Advisory =·
Issue: Sql injection Vulnerability in EasyMoblog by Umberto Caldera.
Discovered Date: 30/01/07
Author: Tal Argoni, LegendaryZion. [talargoni at gmail.com]
Product Vendor: http://sourceforge.net/project/showfiles.php?group_id=88633
Ver: easymoblog-0.5.1
Details:
EasyMoblog is prone to a Sql Injection Vulnerability.
The vulnerability exists in comment_add function, caused by the lack of
Input Validation/Filtering of quotation and malicious characters
in the GET parameter "i" OR in the POST parameter "post_id".
The use of post_details function is done by "add_comment.php"
that exist in "libraries.inc.php".
Contents of libraries.inc.php:
---------------------------------
...
function comment_add ($comment) { .....
$query = "
insert into ".CFG_MYSQL_TABPREFIX."comments
(comment_author,comment_author_email,comment_text,comment_added,post_id)
values (
'".addslashes($comment['comment_author'])."',
'".addslashes($comment['comment_author_email'])."',
'".addslashes($comment['comment_text'])."',
'".time()."',
'".$comment['post_id']."'
)
";
$res = mysql_query($query);
...
Contents of add_comment.php:
---------------------------------
...
$form['post_id'] = '';
if(isset($_POST['post_id'])) $form['post_id'] = $_POST['post_id'];
elseif(isset($_GET['i'])) $form['post_id'] = $_GET['i'];
else exit();
.........
if (count($errors) == 0) {
$comment = $form;
$comment = comment_add ($comment);
Header ("Location: list_comments.php?i=".$comment['post_id']);
exit();
...
Exploitation URL:
http://www.example.com/easymoblog/add_comment.php?i='[SQL]
Successful exploitation may allow execution of Sql code.
This could also be exploited to get the passwords, users
and a lot of informaion, commit Denial Of Service attacks and more...
Proof Of Concept:
http://www.example.com/easymoblog/add_comment.php?i='[SQL]