netVigilance Security Advisory #40 myBloggie version 2.1.6 Multiple SQL Injection Vulnerability Description: myBloggie (http://mywebland.com/mybloggie/) is considered one of the most simple, user-friendliest yet packed with features Weblog system available to date. Built using PHP & mySQL, web most popular scripting language & database system enable myBloggie to be installed in any webservers. A security problem in the product allows attackers to commit SQL injection. External References: Mitre CVE: CVE-2007-1899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1899 NVD NIST: CVE-2007-1899 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1899 OSVDB: Summary: myBloggie is weblog system built using PHP & mySQL, the webs most popular scripting language & database system which enable myBloggie to be installed in any webserver. Successful exploitation requires PHP magic_quotes_gpc set to Off and register_globals set to “On”. Advisory URL: http://www.netvigilance.com/advisory0040 Release Date: June 30th 2008 Severity/Risk: Medium CVSS 2.0 Metrics Access Vector: Network Access Complexity: High Authentication: Not-required Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial CVSS 2.0 Base Score: 5.1 Target Distribution on Internet: Low Exploitability: Functional Exploit Remediation Level: Workaround Report Confidence: Uncorroborated Vulnerability Impact: Attack Host Impact: SQL Injection. SecureScout Testcase ID: TC 17969 Vulnerable Systems: myBloggie version 2.1.6 Vulnerability Type: SQL injection allows malicious people to execute their own SQL scripts. This could be exploited to obtain sensitive data, modify database contents or acquire administrator’s privileges. Vendor: myWebland (http://mywebland.com/) Vendor Status: The Vendor has been notified April 9th 2007, but did not respond. Workaround: In the php.ini file set magic_quotes_gpc = On and/or register_globals=Off Example: SQL Injection Vulnerability 1: Create html file with the next content:
REQUEST: Browse this file and click on the button REPLY: Category : [SQL INJECTION RESULT - ADMIN NAME] -> [SQL INJECTION RESULT - ADMIN PASSWORD] Posted By : 1 | Comments[1] | SQL Injection Vulnerability 2: (SQL Injection + XSS Attack Vulnerability) Create html file with the next content and place it for example on http://somedomain.com/file.html:
REQUEST: Induce a Mybloggie admin to browse the malicious page. http:// somedomain.com/file.html REPLY: Page containing username and password for Mybloggie admin account. Credits: Jesper Jurcenoks Co-founder netVigilance, Inc www.netvigilance.com