[VIM] MyBloggie SQL injection vuln variant
Steven M. Christey
coley at mitre.org
Wed Oct 5 17:08:43 EDT 2005
retrogod recently posted a null character / SQL injection issue in
myBloggie:
http://marc.theaimsgroup.com/?l=bugtraq&m=112818273307878&w=2
The affected version is 2.1.3beta, the app is login.php, and the
parameter is username. This is CAN-2005-3153.
This makes it sound like a rediscovery of an earlier post by OS2A:
http://marc.theaimsgroup.com/?l=bugtraq&m=112607358831963&w=2
which also has the same version, app, and parameter; this is
CAN-2005-2838.
However, retrogod's description shows this source code extract:
// Security precaution - sean 03 sep 2005
[!] if(ereg('[^A-Za-z0-9_]', $username)){
which is the fix for the older CAN-2005-2838.
So, the problem is that the fix is incomplete, and the retrogod issue
is really an interaction error / null character problem that, in this
case, happens to have resultant SQL injection.
In CVE's book, this makes it different enough to merit a new
candidate.
- Steve
======================================================
Candidate: CAN-2005-2838
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2838
Reference: BUGTRAQ:20050905 Vulnerability in myBloggie 2.1.3-beta and prior
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112607358831963&w=2
Reference: CONFIRM:http://mywebland.com/forums/showtopic.php?t=399
Reference: BID:14739
Reference: URL:http://www.securityfocus.com/bid/14739
Reference: SECUNIA:16699
Reference: URL:http://secunia.com/advisories/16699
Reference: XF:mybloggie-login-sql-injection(22162)
Reference: URL:http://xforce.iss.net/xforce/xfdb/22162
SQL injection vulnerability in login.php in myBloggie 2.1.3-beta and
earlier allows remote attackers to execute arbitrary SQL commands via
the username parameter.
======================================================
Candidate: CAN-2005-3153
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3153
Reference: BUGTRAQ:20051001 MyBloggie 2.1.3beta null char + SQL Injection -> Login Bypass
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112818273307878&w=2
Reference: MISC:http://rgod.altervista.org/mybloggie213b.html
Reference: SECTRACK:1014995
Reference: URL:http://securitytracker.com/id?1014995
login.php in MyBloggie 2.1.3 beta allows remote attackers to bypass a
regular expression check for invalid characters and conduct SQL
injection attacks via a null character in the username parameter, a
different vulnerability than CAN-2005-2838.
More information about the VIM
mailing list