Ultimi Articoli
- Use the source, Luke!
- Sleeping
- Oracle WebLogic Connector JSESSIONID BoF exploit
- Hi There!
- MS SQL Server sp_replwritetovarbin Heap Overflow
- MS Internet Explorer XML Parsing Remote Exploit
- Opera 9.62 URL Handler Heap Overflow
- Exploiting BitTorrent
- Vuln: Nagios 'statuswml.cgi' Remote Arbitrary Shell..
-
Nagios 'statuswml.cgi' Remote Arbitrary Shell Command In..
- Vuln: Sun Java Runtime Environment and Java Develop..
-
Sun Java Runtime Environment and Java Development Kit Mu..
- Vuln: ModSecurity Multiple Remote Denial of Service..
-
ModSecurity Multiple Remote Denial of Service Vulnerabil..
Categories
Commenti
- viagra:Thanks
- margaret:mxdhG3 ega7Kl0d
- nataly:JmiIex ghUnxCcz
- h4x0r:Yeahhh ! i,m w
- Esxeicmp:this post is fa
- Esxeicmp:this post is fa
- Rbwekpke:Jonny was here
- nogood87:magic story ver
- Diva:Jonny was here
- Jozef:magic story ver
- bobber:perfect design
- Hfgcemdh:Best Site good
- richard:ljsxGv dkv7Rq29
- Wwuhvjkv:It's funny good
- Kcttvkyj:Thanks funny si
- Fgzockhj:very best job
- Tycnwuxz:Very interestin
- Qjvyvvbu:very best job
- sammy:mNAcKb vkoo7wvY
- snip:All work and no
- testonly:hi, i tried thi
- John1494:Very nice site!
- Ignmwjil:Good crew it's
- John622:Very nice site!
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
Pligg 9.9.0 SQL Injection Vulnerability
Posted on 2008-04-09 00:48:39 in PornoSecurity
Today i wanted to try the Pligg digg-like content management system, after playing with it for a while I found a vulnerability.
The pligg developers fail to sufficiently sanitize user-supplied data before using it in an SQL query making it possibile to inject extra SQL statements.
http://www.example.com/editlink.php?id=1+AND+((SELECT+user_pass+FROM+pligg_users+WHERE+user_login=0x676f64)+LIKE+0x25)+UNION+SELECT+10,2
To exploit this you need the id of a news you submitted(10 in the example) and an id of a news submitted by others(1 in the example), when the LIKE statement matches you get a "Not your link" error.
This is a tipical blind SQL-injection scenario.
UPDATE:
Trying to write a little patch for a friend of mine i found many other security-related problems in pligg. Many user-supplied variables are simply not checked or checked in the very wrong way.
- The first case, editlink.php:
if(isset($_GET['id'])){libs/link.php:
$theid = strip_tags($_GET['id']);
}
if(isset($_POST['id'])){
$theid = strip_tags($_POST['id']);
}
[...]
$link = $db->get_row("SELECT link_id, link_author FROM " . table_links .
" WHERE link_id=".$theid.";")
[...]
$linkres->id=$link_id = strip_tags($_POST['id']);
$linkres->read();
function read($usecache = TRUE) {
$id = $this->id;
$link = $db->get_row("SELECT " . table_links . ".* FROM " . table_links
. " WHERE link_id = $id");
}
-
Another one, vote.php:
$link->id=$_POST['id'];link/link.php:
$link->read_basic();
function read_basic() {
[...]
$id = $this->id;
$db->get_row("SELECT link_comments, link_author, link_status, link_randkey, link_category, link_date, link_votes, link_karma,link_published_date FROM " . table_links . " WHERE link_id = $id")
..and so on.
I really dunno why they insist to strip_tags instead of a simple intval() ;)
2009-04-03 23:16:30
sammy: mNAcKb vkoo7wvY5Xkfak7bf1Th2009-05-12 06:40:03
richard: ljsxGv dkv7Rq29nVvzm74lApqSw