[VIM] MyBloggie SQL injection vuln variant

Steven M. Christey coley at mitre.org
Wed Oct 5 17:08:43 EDT 2005 

retrogod recently posted a null character / SQL injection issue in
myBloggie:

  http://marc.theaimsgroup.com/?l=bugtraq&m=112818273307878&w=2

The affected version is 2.1.3beta, the app is login.php, and the
parameter is username.  This is CAN-2005-3153.

This makes it sound like a rediscovery of an earlier post by OS2A:

  http://marc.theaimsgroup.com/?l=bugtraq&m=112607358831963&w=2

which also has the same version, app, and parameter; this is
CAN-2005-2838.

However, retrogod's description shows this source code extract:

	 // Security precaution - sean 03 sep 2005
  [!]	 if(ereg('[^A-Za-z0-9_]', $username)){

which is the fix for the older CAN-2005-2838.

So, the problem is that the fix is incomplete, and the retrogod issue
is really an interaction error / null character problem that, in this
case, happens to have resultant SQL injection.

In CVE's book, this makes it different enough to merit a new
candidate.

- Steve



======================================================
Candidate: CAN-2005-2838
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2838
Reference: BUGTRAQ:20050905 Vulnerability in myBloggie 2.1.3-beta and prior
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112607358831963&w=2
Reference: CONFIRM:http://mywebland.com/forums/showtopic.php?t=399
Reference: BID:14739
Reference: URL:http://www.securityfocus.com/bid/14739
Reference: SECUNIA:16699
Reference: URL:http://secunia.com/advisories/16699
Reference: XF:mybloggie-login-sql-injection(22162)
Reference: URL:http://xforce.iss.net/xforce/xfdb/22162

SQL injection vulnerability in login.php in myBloggie 2.1.3-beta and
earlier allows remote attackers to execute arbitrary SQL commands via
the username parameter.


======================================================
Candidate: CAN-2005-3153
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3153
Reference: BUGTRAQ:20051001 MyBloggie 2.1.3beta null char + SQL Injection -> Login Bypass
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112818273307878&w=2
Reference: MISC:http://rgod.altervista.org/mybloggie213b.html
Reference: SECTRACK:1014995
Reference: URL:http://securitytracker.com/id?1014995

login.php in MyBloggie 2.1.3 beta allows remote attackers to bypass a
regular expression check for invalid characters and conduct SQL
injection attacks via a null character in the username parameter, a
different vulnerability than CAN-2005-2838.

More information about the VIM mailing list