[VIM] Verified Bit 5 Blog 8.01 SQL injection

Steven M. Christey coley at mitre.org
Wed Jan 18 19:45:55 EST 2006


Re: BUGTRAQ:20060115 [eVuln] Bit 5 Blog SQL Injection & Authentication
Bypass Vulnerability


I was able to verify this via source inspection, *BUT* only for
version 8.0, as version 8.01 did not seem available for download from
http://bit5blog.sourceforge.net/download.html


In version 8.0, admin/processlogin.php has:

>	$query = "SELECT * FROM " . SQLUSERS;
>	$query .= " WHERE userid = '" . $_POST["username"] . "'";
>	$query .= " AND password = '" . $_POST["password"] . "'";
>	//echo $query . "<br>\n";
>	$result = dbcaller($query);

and dbcaller in include/functions.php does:

> function dbcaller($arg)
> ...
>         $result = mysql_query($arg);
> ...


- Steve


More information about the VIM mailing list