Authentication Bypass in miniBloggie

Summary

Vulnerability
Authentication Bypass in miniBloggie
Discovered
2006.01.23
Last Update
0 n/a
ID
EV0047
CVE
CVE-2006-0417
Risk Level
medium
Type
SQL Injection
Status
Unpatched
Vendor
myWebland (http://mywebland.neopages.net/)
Vulnerable Software
miniBloggie
Version
1.0
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL Injection found in miniBloggie script.

Vulnerable scripts:
login.php

Username and password isn't properly sanitized before being used in a SQL query. This can be used to log in as administrator without password.

Condition: magic_quotes_gpc: off

PoC/Exploit

Login Page:
http://host/minibloggie/login.php

User Name: ' or 1/*
Password: ' or 1/*

Solution.

Solution for "Authentication Bypass in miniBloggie" is not available. Check myWebland website for updates.