Authentication Bypass Vulnerability in WebspotBlogging
Summary
- Vulnerability
- Authentication Bypass Vulnerability in WebspotBlogging
- Discovered
- 2006.01.18
- Last Update
- 2006.01.24 Vendor-provided patch is available now
- ID
- EV0041
- CVE
- CVE-2006-0324
- Risk Level
- high
- Type
- SQL Injection
- Status
- Patched
- Vendor
- n/a
- Vulnerable Software
- WebspotBlogging (http://www.webspot.co.uk/)
- Version
- 3.0
- PoC/Exploit
- Available
- Solution
- Available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
SQL Injection found in WebspotBlogging (http://www.webspot.co.uk/) script.
Vulnerable script:
login.php
Variable $_POST[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc - off
Administrator has an ability to import themes using php code insertion from Admin Control Panel.
System access is possible.
PoC/Exploit
SQL Injection Example:
Link: http://host/webspot/login.php
Username: aaaa' union select 1,2,3,1,1,6,7/*
Password: any
Solution.
Vendor-provided patch is available now.
Upgrade to 3.01 version or just replace "login.php" file by a new one.
http://sourceforge.net/project/showfiles.php?group_id=156586