[UNIX] myBloggie SQL Injection/Privilege Escalation

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  myBloggie SQL Injection/Privilege Escalation
------------------------------------------------------------------------


SUMMARY

 <http://mybloggie.mywebland.com/> myBloggie is "a Weblog system built 
using PHP and mySQL".

myBloggie vulnerable to SQL injection vulnerability caused by improper 
validation of user-supplied inputs. This vulnerability can be exploited to 
bypass authentication mechanism, escalate the privileges to administrator 
level and also made to reveal system specific information.

DETAILS

Vulnerable Systems:
 * myBloggie versions 2.1.3-beta and prior

User supplied credential inputs ('$username' and '$passwd') are not 
sanitized in login.php before subjecting them to SQL query.

Vulnerable code:
<----------------------------login.php 
snippet--------------------------------->
if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";

$result = mysql_query( "SELECT user FROM ".USER_TBL." WHERE 
user='$username'
                  AND password='$passwd'" ) or error( mysql_error() );
<--------------------------------------------------------------------------->

This can be exploited in multiple ways,
1. Authentication Bypass: A malicious user can log on to the weblog system 
without submitting the password by placing queries such as this "admin' OR 
'x'='x" in the User Name field.
2. Privilege Escalation: When a non-administrative user submits, for 
example "user1' OR 'x'='x", into the User Name field, administrative 
privileges will be granted.
3. Path Disclosure: Path information can be made to disclose in error 
pages by passing invalid query to User Name field of login.php.

Proof of Concept:
POST http://example.com/mybloggie/login.php?username=admin' OR 'x'='x
POST http://example.com/mybloggie/login.php?username=normal_user' OR 
'one'='one
POST http://example.com/mybloggie/login.php?username='1=1 --

Patch Availability:
Patch:  <http://mywebland.com/forums/showtopic.php?t=399> 
http://mywebland.com/forums/showtopic.php?t=399

Disclosure Timeline:
 * 01.09.05 - Issue Discovered
 * 02.09.05 - Reported to the vendor
 * 03.09.05 - Patch Released
 * 05.09.05 - Advisory Released


ADDITIONAL INFORMATION

The information has been provided by  <mailto:os2a.bto@xxxxxxxxx> 
os2a.bto.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.