Authentication Bypass Vulnerability in WebspotBlogging

Summary

Vulnerability
Authentication Bypass Vulnerability in WebspotBlogging
Discovered
2006.01.18
Last Update
2006.01.24 Vendor-provided patch is available now
ID
EV0041
CVE
CVE-2006-0324
Risk Level
high
Type
SQL Injection
Status
Patched
Vendor
n/a
Vulnerable Software
WebspotBlogging (http://www.webspot.co.uk/)
Version
3.0
PoC/Exploit
Available
Solution
Available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL Injection found in WebspotBlogging (http://www.webspot.co.uk/) script.

Vulnerable script:
login.php

Variable $_POST[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc - off

Administrator has an ability to import themes using php code insertion from Admin Control Panel.

System access is possible.

PoC/Exploit

SQL Injection Example:

Link: http://host/webspot/login.php
Username: aaaa' union select 1,2,3,1,1,6,7/*
Password: any

Solution.

Vendor-provided patch is available now.

Upgrade to 3.01 version or just replace "login.php" file by a new one.

http://sourceforge.net/project/showfiles.php?group_id=156586