[UNIX] myBloggie SQL Injection/Privilege Escalation

From: SecuriTeam (support_at_securiteam.com)
Date: 09/27/05

  • Next message: SecuriTeam: "[UNIX] Perl Module pam_per_user Authentication Bypassing" 
    To: list@securiteam.com
Date: 27 Sep 2005 15:43:04 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      myBloggie SQL Injection/Privilege Escalation
    ------------------------------------------------------------------------

    SUMMARY

     <http://mybloggie.mywebland.com/> myBloggie is "a Weblog system built
    using PHP and mySQL".

    myBloggie vulnerable to SQL injection vulnerability caused by improper
    validation of user-supplied inputs. This vulnerability can be exploited to
    bypass authentication mechanism, escalate the privileges to administrator
    level and also made to reveal system specific information.

    DETAILS

    Vulnerable Systems:
     * myBloggie versions 2.1.3-beta and prior

    User supplied credential inputs ('$username' and '$passwd') are not
    sanitized in login.php before subjecting them to SQL query.

    Vulnerable code:
    <----------------------------login.php
    snippet--------------------------------->
    if (isset($_POST['username'])) {
    $username=$_POST['username'];
    } else $username="";

    $result = mysql_query( "SELECT user FROM ".USER_TBL." WHERE
    user='$username'
                      AND password='$passwd'" ) or error( mysql_error() );
    <--------------------------------------------------------------------------->

    This can be exploited in multiple ways,
    1. Authentication Bypass: A malicious user can log on to the weblog system
    without submitting the password by placing queries such as this "admin' OR
    'x'='x" in the User Name field.
    2. Privilege Escalation: When a non-administrative user submits, for
    example "user1' OR 'x'='x", into the User Name field, administrative
    privileges will be granted.
    3. Path Disclosure: Path information can be made to disclose in error
    pages by passing invalid query to User Name field of login.php.

    Proof of Concept:
    POST http://example.com/mybloggie/login.php?username=admin' OR 'x'='x
    POST http://example.com/mybloggie/login.php?username=normal_user' OR
    'one'='one
    POST http://example.com/mybloggie/login.php?username='1=1 --

    Patch Availability:
    Patch: <http://mywebland.com/forums/showtopic.php?t=399>
    http://mywebland.com/forums/showtopic.php?t=399

    Disclosure Timeline:
     * 01.09.05 - Issue Discovered
     * 02.09.05 - Reported to the vendor
     * 03.09.05 - Patch Released
     * 05.09.05 - Advisory Released

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:os2a.bto@gmail.com>
    os2a.bto.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Perl Module pam_per_user Authentication Bypassing"

    Relevant Pages