[VIM] VERIFIED 3 SaralBlog issues

Steven M. Christey coley at mitre.org
Fri Jan 20 19:09:25 EST 2006 

I verified (source inspection) 3 saralblog issues.

Prompting reference: http://evuln.com/vulns/40/summary.html

The id/viewprofile.php vector was already announced by r0t in
CVE-2005-4058.


========= id/viewprofile.php SQL injection 

>  include "sql.php";
>  include "functions.php";
>  include "header.php";
>
>  $sql = "SELECT * FROM `users` WHERE `id` =".$id."";
>  $rs=mysql_query($sql,$conn);


$id is not defined before this code is reached.


========= searc/search.php SQL injection

The "Exploit" section of the evuln reference lists:

>  2. SQL Injection Example (gpc_magic_quotes: off)
>
>  Search:
>  aaaaa') union select 1,2,3,4,5,6/*

This was traced to a form in footer.php:

>  <div id="blogtitle">Search</div>
>  <form action="search.php" method="post">
>  <input type="text" name="search" size="10" value="" /><input type="submit" value="Submit" />

and if you look in search.php:

>  $sql = "SELECT * FROM posts WHERE MATCH (Subject,Text) AGAINST('".$search."')";
>  $rs=mysql_query($sql,$conn);


========= XSS website / comment


This took a teeny bit because it is "stored" XSS instead of reflected.

Note that there's another vector where it prompts for Website:,
related to profile editing, but that vector seems clean.

Anyway...

In functions.php:

>function comments ($newsid, $conn) {
>
>...
>
>echo '<form action="view.php" method="post">';
>...
>echo '<b>Website:</b><br />';
>echo '<input type="text" name="website" value="http://" size="30"/><br />';


And in view.php:

>if ($action == "post") {
>...
>$website = htmlspecialchars($website);
>...
>$sql = "insert into comments (newsid, time, author, comment, website, email)  values (\"$newsid\",\"$time\",\"$author\",\"$Text\", \"$website\", \"$email\")";

So on first inspection this vector SEEMS clean, but note that with the
input:

  javascript:alert(123)

nothing would get quoted.


THen back to functions.php in the comments() function we read from the
DB:

>function comments ($newsid, $conn) {
>global $_COOKIE;
>$sql = "select * from comments WHERE newsid=\"$newsid\" order by id ASC";
>$rs=mysql_query($sql,$conn);
>
>while ($row = mysql_fetch_array($rs)) {
>...
>if ($row["website"]) { echo " | <a href='".$row["website"]."' target='_blank'>Website</a>"; }


So, this would produce

  <a href='javascript:alert(123)' target='_blank'>Website</a>


QED.

More information about the VIM mailing list